Similarity Report

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	648369
Start date:	29.08.2018
Start time:	09:58:45
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 11m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC000YUT600.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@10/5@0/1
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 90.9%) Quality average: 76.9% Quality standard deviation: 31.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Execution Graph export aborted for target DOC000YUT600.exe, PID 3420 because it is empty Execution Graph export aborted for target Regdriver.exe, PID 3484 because it is empty Execution Graph export aborted for target regdrv.exe, PID 3452 because it is empty Execution Graph export aborted for target regdrv.exe, PID 3532 because it is empty Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7932256230048225
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DOC000YUT60.exe
File size:	1816064
MD5:	cd1974c09f7171e19634de0e00d7efb7
SHA1:	41f02346c16fb2585edb2585ef67766e42e69528
SHA256:	ccf07ed87ce33179ba77b74372818958a04236860738ce96993976493488e7b4
SHA512:	485c46e035ca077065645dba67d1f40e0787ed04175a6a11e5fbe9e5d1289b98376f3b845b97871dd0cb6629061a3a12ed537fb11fe1db7001849288faa5e717
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Similarity Information

Algorithm:	APISTRING
Total Signature IDs in Database:	4108360
Total Processes Database:	48855
Total similar Processes:	20168
Total similar Functions:	207915

Similar Processes

DOC000YUT600.exe (MD5: CD1974C09F7171E19634DE0E00D7EFB7, PID: 3420)

DOC000YUT090.exe (PID: 3340, MD5: 68DD38B9F0BBC16EF985BEA78DBFDE51 AnalysisID: 45352 Similar Functions: 8)
Po_No_6111875-22.exe (PID: 3652, MD5: 5FF9678FCE561E1942FD09B7FDFA23A1 AnalysisID: 46407 Similar Functions: 8)
71exact replicas of the pictures.scr (PID: 3848, MD5: 2CA36B311F65211EDD9440E953C7824D AnalysisID: 355875 Similar Functions: 6)
VTfIxABUKQX.exe (PID: 3360, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 6)
window-on-top.tmp (PID: 3460, MD5: 90FC739C83CD19766ACB562C66A7D0E2 AnalysisID: 70878 Similar Functions: 6)
AnalyticsEdgeBasicInstaller.tmp (PID: 3472, MD5: 832DAB307E54AA08F4B6CDD9B9720361 AnalysisID: 66606 Similar Functions: 6)
pdf-to-xml.tmp (PID: 3468, MD5: 2C10DB017057DCE22651243244E4FEE6 AnalysisID: 67877 Similar Functions: 6)
VeriCoin_1.7.1_64bit.tmp (PID: 3452, MD5: 832DAB307E54AA08F4B6CDD9B9720361 AnalysisID: 73141 Similar Functions: 6)
sevnz.exe (PID: 3472, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 6)
drivermax_9_14_cnet.tmp (PID: 2648, MD5: AB126F7F9FF2E7902FF2BBDC1A6D3158 AnalysisID: 29247 Similar Functions: 6)
hbBX0y0z51.tmp (PID: 3440, MD5: 1305181DE520F125AEABF85DC24A89D6 AnalysisID: 59014 Similar Functions: 6)
Processo_MPF_0008837353_2014_9_07_90182798772.exe (PID: 3320, MD5: E1C1EA4A105FBE869EC64AA457C252EB AnalysisID: 31598 Similar Functions: 5)
GoogleChromeSetup.MAL.exe (PID: 3456, MD5: 863253EC95D89B918DAAF1FBE154F173 AnalysisID: 60523 Similar Functions: 5)
GoogleChromeSetup.MAL.exe (PID: 3640, MD5: 863253EC95D89B918DAAF1FBE154F173 AnalysisID: 60523 Similar Functions: 5)
pQwinup.exe (PID: 1660, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
data.exe (PID: 3664, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
maildetective2.tmp (PID: 3292, MD5: E9F663D8D3671AE8761945502120E385 AnalysisID: 43154 Similar Functions: 5)
New Purchase Order No.0567.exe (PID: 3452, MD5: 76E104EBA0BB25DA3B345C6F351BAF42 AnalysisID: 64048 Similar Functions: 5)
PDFCreator-1_7_0_setup.tmp (PID: 3568, MD5: A2C4D52C66B4B399FACADB8CC8386745 AnalysisID: 46275 Similar Functions: 5)
Open OfficeSetup.Exe (PID: 3468, MD5: 03EC92CFA1B6B076ACB82E4E8D49D90C AnalysisID: 53419 Similar Functions: 5)
SteamHelper.tmp (PID: 3484, MD5: CD1F291594F75DE800B26457C76B04B0 AnalysisID: 49640 Similar Functions: 5)
FPaukxOmd8.tmp (PID: 3332, MD5: 9303156631EE2436DB23827E27337BE4 AnalysisID: 41220 Similar Functions: 5)
RFQ-857369 {Draft copy}.exe (PID: 3564, MD5: 028D4FD059E8A0F2F9E8C1635D036E2A AnalysisID: 71697 Similar Functions: 5)
WRMNLzRmzr.tmp (PID: 3404, MD5: 832DAB307E54AA08F4B6CDD9B9720361 AnalysisID: 51259 Similar Functions: 5)
darkcomet.exe (PID: 3252, MD5: 5A790B57A083A6B0FDDC5BACBBBD95DE AnalysisID: 41363 Similar Functions: 5)
SCAN00GOG0900.exe (PID: 3476, MD5: F51025B7377A6E1195B92C43C02AE280 AnalysisID: 48661 Similar Functions: 5)
pQwinup.exe (PID: 3776, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
K9tdOxcj76.exe (PID: 3084, MD5: 624023448A39E6EADB9F7722FAE2DCD3 AnalysisID: 38384 Similar Functions: 5)
CSmGZuzOw3.tmp (PID: 3664, MD5: D8CA4D5DF2DC54CA72DD9DBDE47BC3BB AnalysisID: 516917 Similar Functions: 5)
darkcomet-irixo.exe.exe (PID: 3880, MD5: 4716314D197F0B5485AEA5142842E06C AnalysisID: 58114 Similar Functions: 5)

regdrv.exe (MD5: CD1974C09F7171E19634DE0E00D7EFB7, PID: 3452)

window-on-top.tmp (PID: 3460, MD5: 90FC739C83CD19766ACB562C66A7D0E2 AnalysisID: 70878 Similar Functions: 6)
Hsksdycn.exe (PID: 3092, MD5: EEC006D47C4E68C91A6943F86A58ABBA AnalysisID: 37311 Similar Functions: 4)
58DHL Shipment Doc# 070881019.exe (PID: 3180, MD5: 84F29ADF5A558248B2F8CDD64ACA919C AnalysisID: 38736 Similar Functions: 4)
47PAYMENT.exe (PID: 3108, MD5: 3CF908E5EE436FDF3D2B780400866C7D AnalysisID: 38767 Similar Functions: 4)
37statement of account.exe (PID: 3092, MD5: 151AB14A9FAE18D9DF3E040F213BFA1C AnalysisID: 37467 Similar Functions: 4)
74ASVfdWjgISVfdWjgI.exe (PID: 3112, MD5: DB3C2D77BD50E0CD6B441BCC9DDF0712 AnalysisID: 37665 Similar Functions: 4)
31SIMREG INCENTIVE BREAKDOWN.xlsx.exe (PID: 3252, MD5: 5D34E72A2C6BF15D7003F2942D1F8B63 AnalysisID: 40080 Similar Functions: 4)
Agreement_pdf.exe (PID: 3288, MD5: 77D378763AC0444A9F767F446772A479 AnalysisID: 363512 Similar Functions: 4)
17Invoice.exe (PID: 3096, MD5: 0D8926429A27363F3994D09184572666 AnalysisID: 37668 Similar Functions: 4)
data.exe (PID: 3284, MD5: 1D8830D54E8E8F210792188C07C5E83A AnalysisID: 46942 Similar Functions: 4)
VTfIxABUKQX.exe (PID: 3360, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 4)
69NEW DAWN STAFF DRESS.xlsx.exe (PID: 3248, MD5: EAD2C482D0C82A21372F969C61302C31 AnalysisID: 39704 Similar Functions: 4)
dYdRqZwo.exe (PID: 3508, MD5: 5D34E72A2C6BF15D7003F2942D1F8B63 AnalysisID: 40080 Similar Functions: 4)
71Payment.jpg............exe (PID: 3092, MD5: 0742CE86C683E9483BDF448B38BF2664 AnalysisID: 38833 Similar Functions: 4)
OHyCCfZu.exe (PID: 3436, MD5: 1D8830D54E8E8F210792188C07C5E83A AnalysisID: 46942 Similar Functions: 4)
FuVDbcfS.exe (PID: 3380, MD5: D92C4AE32F8DE6EBC6FC4E855E7B66AA AnalysisID: 39246 Similar Functions: 4)
XbNQXwEL.exe (PID: 3372, MD5: 1C319E894D3BF7D381D3EAC736FD5502 AnalysisID: 39695 Similar Functions: 4)
nVndEfAi.exe (PID: 3600, MD5: DDF37EB620C66DE4AF7017BB5DB95893 AnalysisID: 40506 Similar Functions: 4)
58REMITTANCE COPY_BALANCE PAYMENT.exe (PID: 3264, MD5: 4030BA83FBC48E2F007FAE34829897E9 AnalysisID: 40041 Similar Functions: 4)
xPtlWgvn.exe (PID: 3728, MD5: AAD08C4F7D96A5986BA7941AC8336FD3 AnalysisID: 39827 Similar Functions: 4)
36PAYMENT.exe (PID: 3196, MD5: 367A5392D23C0C007DD8E71DBB8B1EE7 AnalysisID: 38663 Similar Functions: 4)
vUCGyPcV.exe (PID: 3608, MD5: C0EAF6EBE3AF1A42B8C9911F92714FE4 AnalysisID: 39127 Similar Functions: 4)
pQwinup.exe (PID: 1660, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 4)
EwKNSDWB.exe (PID: 3240, MD5: AADEF13F05E9E17B79EC50FB9665593B AnalysisID: 36631 Similar Functions: 4)
69IMG00002.exe (PID: 3276, MD5: BFB80626BE700A621CABDFF267B6ED2E AnalysisID: 41839 Similar Functions: 4)
38Payment.exe (PID: 3272, MD5: ABDD63CC62905D29A7D3D42AD83688CF AnalysisID: 38217 Similar Functions: 4)
13MTN TP November airtime performance Bonus.pdf.exe (PID: 3384, MD5: C0EAF6EBE3AF1A42B8C9911F92714FE4 AnalysisID: 39127 Similar Functions: 4)
data.exe (PID: 3664, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 4)
RAZBvEJG.exe (PID: 3524, MD5: 38F778B7F5D646D294E9ACC754648AAA AnalysisID: 36867 Similar Functions: 4)
fggCPClP.exe (PID: 3472, MD5: 4DE78F999AE56C63667C37E912DA7310 AnalysisID: 39823 Similar Functions: 4)

regdrv.exe (MD5: CD1974C09F7171E19634DE0E00D7EFB7, PID: 3468)

SCAN00GOG0900.exe (PID: 3476, MD5: F51025B7377A6E1195B92C43C02AE280 AnalysisID: 48661 Similar Functions: 232)
darkcomet-irixo.exe.exe (PID: 3880, MD5: 4716314D197F0B5485AEA5142842E06C AnalysisID: 58114 Similar Functions: 232)
IMG-FILE-093298393840933-09208438039039-023outputA4DB4EF.exe (PID: 3476, MD5: 88E0BC064945FA01C3B2745AC3633836 AnalysisID: 69994 Similar Functions: 229)
test.exe.exe (PID: 3260, MD5: 0D5A48D9FDC26E038BAF3D507CAF4DD5 AnalysisID: 40573 Similar Functions: 228)
neh.exe (PID: 3428, MD5: 264D0D08069B26210AD2261C1E37CCF2 AnalysisID: 40545 Similar Functions: 228)
New Purchase Order No.0567.exe (PID: 3452, MD5: 76E104EBA0BB25DA3B345C6F351BAF42 AnalysisID: 64048 Similar Functions: 226)
darkcomet.exe (PID: 3252, MD5: 5A790B57A083A6B0FDDC5BACBBBD95DE AnalysisID: 41363 Similar Functions: 226)
darkcomet-irixo-final.exe (PID: 3432, MD5: 34960F869AA933675A70C0C7C17ADDFE AnalysisID: 58113 Similar Functions: 224)
hmGCd1FvDh.exe (PID: 3072, MD5: 87265F45CFC51559590AF14E011970C2 AnalysisID: 39043 Similar Functions: 199)
3Y8FRVDR9S.exe (PID: 3176, MD5: 7A4414974509912787972A84BF88FD4F AnalysisID: 39044 Similar Functions: 199)
k0uVX1KM6P.exe (PID: 3272, MD5: 77093B72A28802C0D03D46469FCBE972 AnalysisID: 39047 Similar Functions: 199)
G8Yxrw4J7t.exe (PID: 3344, MD5: 1F09E66A3F0B82E5A8BA7BB412D30975 AnalysisID: 39275 Similar Functions: 199)
window-on-top.tmp (PID: 3460, MD5: 90FC739C83CD19766ACB562C66A7D0E2 AnalysisID: 70878 Similar Functions: 182)
msdcsc.exe (PID: 3700, MD5: 264D0D08069B26210AD2261C1E37CCF2 AnalysisID: 40545 Similar Functions: 179)
msdcsc.exe (PID: 3316, MD5: 0D5A48D9FDC26E038BAF3D507CAF4DD5 AnalysisID: 40573 Similar Functions: 164)
svchost.exe (PID: 2892, MD5: 54A47F6B5E09A77E61649109C6A08866 AnalysisID: 24621 Similar Functions: 164)
Microupdate.exe (PID: 3400, MD5: 8C5984AB2114A0C70FB9209E89B2F9FC AnalysisID: 64772 Similar Functions: 145)
filename.exe (PID: 2488, MD5: 71790AE818639A05CAE4A4C3118682CD AnalysisID: 313125 Similar Functions: 128)
Filezilla.exe (PID: 2400, MD5: 1B9793452B165AC33B7E01430F3079E0 AnalysisID: 401368 Similar Functions: 124)
Filezilla.exe (PID: 2976, MD5: 1B9793452B165AC33B7E01430F3079E0 AnalysisID: 401368 Similar Functions: 124)
ABsound.exe (PID: 3712, MD5: F51025B7377A6E1195B92C43C02AE280 AnalysisID: 48661 Similar Functions: 118)
71Docscan0039.exe (PID: 2068, MD5: F6255387376BF9BEF2E38AA57BEA40CE AnalysisID: 387104 Similar Functions: 117)
92jfaENDBG.tmp (PID: 3232, MD5: B0DC55919303896D21E61FB59FE2B92F AnalysisID: 46535 Similar Functions: 117)
Filezilla.exe (PID: 236, MD5: 1B9793452B165AC33B7E01430F3079E0 AnalysisID: 401368 Similar Functions: 114)
Filezilla.exe (PID: 3516, MD5: FCE1F1C1BCFD0A5A0C5138D93F919A21 AnalysisID: 39749 Similar Functions: 113)
filename.exe (PID: 3224, MD5: 2691D4452E303259FE5D1444FE7036BB AnalysisID: 36765 Similar Functions: 112)
1transfer slip.exe (PID: 3148, MD5: E919BD0AECE34CD73FBF198F87531C53 AnalysisID: 42767 Similar Functions: 112)
filename.exe (PID: 3236, MD5: A70C54007E0A0936339D0641198A6FF5 AnalysisID: 36662 Similar Functions: 112)
17WIRE TRANSFER SLIP.exe (PID: 3920, MD5: 3BB691A8B6840769716C7FE316E7C01C AnalysisID: 331351 Similar Functions: 111)
17WIRE TRANSFER SLIP.exe (PID: 2820, MD5: 3BB691A8B6840769716C7FE316E7C01C AnalysisID: 331351 Similar Functions: 110)

Regdriver.exe (MD5: CD1974C09F7171E19634DE0E00D7EFB7, PID: 3484)

66DHL SHIPMENT INFO.exe (PID: 2524, MD5: C125E5E8896E9043E08493B49C31C0D9 AnalysisID: 389120 Similar Functions: 9)
DOC000YUT090.exe (PID: 3340, MD5: 68DD38B9F0BBC16EF985BEA78DBFDE51 AnalysisID: 45352 Similar Functions: 7)
Po_No_6111875-22.exe (PID: 3652, MD5: 5FF9678FCE561E1942FD09B7FDFA23A1 AnalysisID: 46407 Similar Functions: 7)
VTfIxABUKQX.exe (PID: 3360, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 6)
window-on-top.tmp (PID: 3460, MD5: 90FC739C83CD19766ACB562C66A7D0E2 AnalysisID: 70878 Similar Functions: 6)
sevnz.exe (PID: 3472, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 6)
Processo_MPF_0008837353_2014_9_07_90182798772.exe (PID: 3320, MD5: E1C1EA4A105FBE869EC64AA457C252EB AnalysisID: 31598 Similar Functions: 5)
71exact replicas of the pictures.scr (PID: 3848, MD5: 2CA36B311F65211EDD9440E953C7824D AnalysisID: 355875 Similar Functions: 5)
pQwinup.exe (PID: 1660, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
data.exe (PID: 3664, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
New Purchase Order No.0567.exe (PID: 3452, MD5: 76E104EBA0BB25DA3B345C6F351BAF42 AnalysisID: 64048 Similar Functions: 5)
RFQ-857369 {Draft copy}.exe (PID: 3564, MD5: 028D4FD059E8A0F2F9E8C1635D036E2A AnalysisID: 71697 Similar Functions: 5)
darkcomet.exe (PID: 3252, MD5: 5A790B57A083A6B0FDDC5BACBBBD95DE AnalysisID: 41363 Similar Functions: 5)
SCAN00GOG0900.exe (PID: 3476, MD5: F51025B7377A6E1195B92C43C02AE280 AnalysisID: 48661 Similar Functions: 5)
pQwinup.exe (PID: 3776, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 5)
drivermax_9_14_cnet.tmp (PID: 2648, MD5: AB126F7F9FF2E7902FF2BBDC1A6D3158 AnalysisID: 29247 Similar Functions: 5)
K9tdOxcj76.exe (PID: 3084, MD5: 624023448A39E6EADB9F7722FAE2DCD3 AnalysisID: 38384 Similar Functions: 5)
darkcomet-irixo.exe.exe (PID: 3880, MD5: 4716314D197F0B5485AEA5142842E06C AnalysisID: 58114 Similar Functions: 5)
yBLTd2qfZO.exe (PID: 3440, MD5: 03BB99E62C4CD6C4432DCA32DE043957 AnalysisID: 54872 Similar Functions: 4)
Hsksdycn.exe (PID: 3092, MD5: EEC006D47C4E68C91A6943F86A58ABBA AnalysisID: 37311 Similar Functions: 4)
Paint.exe (PID: 3360, MD5: EC2ECFF8B5F270506F95A5153AEEC6F8 AnalysisID: 46203 Similar Functions: 4)
58DHL Shipment Doc# 070881019.exe (PID: 3180, MD5: 84F29ADF5A558248B2F8CDD64ACA919C AnalysisID: 38736 Similar Functions: 4)
47PAYMENT.exe (PID: 3108, MD5: 3CF908E5EE436FDF3D2B780400866C7D AnalysisID: 38767 Similar Functions: 4)
Paint.exe (PID: 3768, MD5: D02D11222196B056FAC8A02EEB6BFAFF AnalysisID: 48244 Similar Functions: 4)
46INSTRUCTIONS TO BIDDERS AND ACKNOWLEDGEMENT.PDF.exe (PID: 3040, MD5: 0DB348AF300B367E15F896ADB41BDF6F AnalysisID: 349956 Similar Functions: 4)
rnicrosoft.exe (PID: 3360, MD5: 03650E61AE4CD9D316DC59A0EB1E1BBA AnalysisID: 37144 Similar Functions: 4)
37statement of account.exe (PID: 3092, MD5: 151AB14A9FAE18D9DF3E040F213BFA1C AnalysisID: 37467 Similar Functions: 4)
49Bank copy 17-11-2017.exe (PID: 3284, MD5: 0E14513130F478BACF44E074A526AE21 AnalysisID: 37438 Similar Functions: 4)
taskhost.exe (PID: 3832, MD5: 5C4A18D1A9A77B3A2A334D673713DCDF AnalysisID: 293437 Similar Functions: 4)
74ASVfdWjgISVfdWjgI.exe (PID: 3112, MD5: DB3C2D77BD50E0CD6B441BCC9DDF0712 AnalysisID: 37665 Similar Functions: 4)

regdrv.exe (MD5: CD1974C09F7171E19634DE0E00D7EFB7, PID: 3532)

window-on-top.tmp (PID: 3460, MD5: 90FC739C83CD19766ACB562C66A7D0E2 AnalysisID: 70878 Similar Functions: 6)
Hsksdycn.exe (PID: 3092, MD5: EEC006D47C4E68C91A6943F86A58ABBA AnalysisID: 37311 Similar Functions: 4)
58DHL Shipment Doc# 070881019.exe (PID: 3180, MD5: 84F29ADF5A558248B2F8CDD64ACA919C AnalysisID: 38736 Similar Functions: 4)
47PAYMENT.exe (PID: 3108, MD5: 3CF908E5EE436FDF3D2B780400866C7D AnalysisID: 38767 Similar Functions: 4)
37statement of account.exe (PID: 3092, MD5: 151AB14A9FAE18D9DF3E040F213BFA1C AnalysisID: 37467 Similar Functions: 4)
74ASVfdWjgISVfdWjgI.exe (PID: 3112, MD5: DB3C2D77BD50E0CD6B441BCC9DDF0712 AnalysisID: 37665 Similar Functions: 4)
31SIMREG INCENTIVE BREAKDOWN.xlsx.exe (PID: 3252, MD5: 5D34E72A2C6BF15D7003F2942D1F8B63 AnalysisID: 40080 Similar Functions: 4)
Agreement_pdf.exe (PID: 3288, MD5: 77D378763AC0444A9F767F446772A479 AnalysisID: 363512 Similar Functions: 4)
17Invoice.exe (PID: 3096, MD5: 0D8926429A27363F3994D09184572666 AnalysisID: 37668 Similar Functions: 4)
data.exe (PID: 3284, MD5: 1D8830D54E8E8F210792188C07C5E83A AnalysisID: 46942 Similar Functions: 4)
VTfIxABUKQX.exe (PID: 3360, MD5: E8806738A575A6639E7C9AAC882374AE AnalysisID: 37961 Similar Functions: 4)
69NEW DAWN STAFF DRESS.xlsx.exe (PID: 3248, MD5: EAD2C482D0C82A21372F969C61302C31 AnalysisID: 39704 Similar Functions: 4)
dYdRqZwo.exe (PID: 3508, MD5: 5D34E72A2C6BF15D7003F2942D1F8B63 AnalysisID: 40080 Similar Functions: 4)
71Payment.jpg............exe (PID: 3092, MD5: 0742CE86C683E9483BDF448B38BF2664 AnalysisID: 38833 Similar Functions: 4)
OHyCCfZu.exe (PID: 3436, MD5: 1D8830D54E8E8F210792188C07C5E83A AnalysisID: 46942 Similar Functions: 4)
FuVDbcfS.exe (PID: 3380, MD5: D92C4AE32F8DE6EBC6FC4E855E7B66AA AnalysisID: 39246 Similar Functions: 4)
XbNQXwEL.exe (PID: 3372, MD5: 1C319E894D3BF7D381D3EAC736FD5502 AnalysisID: 39695 Similar Functions: 4)
nVndEfAi.exe (PID: 3600, MD5: DDF37EB620C66DE4AF7017BB5DB95893 AnalysisID: 40506 Similar Functions: 4)
58REMITTANCE COPY_BALANCE PAYMENT.exe (PID: 3264, MD5: 4030BA83FBC48E2F007FAE34829897E9 AnalysisID: 40041 Similar Functions: 4)
xPtlWgvn.exe (PID: 3728, MD5: AAD08C4F7D96A5986BA7941AC8336FD3 AnalysisID: 39827 Similar Functions: 4)
36PAYMENT.exe (PID: 3196, MD5: 367A5392D23C0C007DD8E71DBB8B1EE7 AnalysisID: 38663 Similar Functions: 4)
vUCGyPcV.exe (PID: 3608, MD5: C0EAF6EBE3AF1A42B8C9911F92714FE4 AnalysisID: 39127 Similar Functions: 4)
pQwinup.exe (PID: 1660, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 4)
EwKNSDWB.exe (PID: 3240, MD5: AADEF13F05E9E17B79EC50FB9665593B AnalysisID: 36631 Similar Functions: 4)
69IMG00002.exe (PID: 3276, MD5: BFB80626BE700A621CABDFF267B6ED2E AnalysisID: 41839 Similar Functions: 4)
38Payment.exe (PID: 3272, MD5: ABDD63CC62905D29A7D3D42AD83688CF AnalysisID: 38217 Similar Functions: 4)
13MTN TP November airtime performance Bonus.pdf.exe (PID: 3384, MD5: C0EAF6EBE3AF1A42B8C9911F92714FE4 AnalysisID: 39127 Similar Functions: 4)
data.exe (PID: 3664, MD5: B56AA07E5FE953431CA8DE5326D6953D AnalysisID: 32007 Similar Functions: 4)
RAZBvEJG.exe (PID: 3524, MD5: 38F778B7F5D646D294E9ACC754648AAA AnalysisID: 36867 Similar Functions: 4)
fggCPClP.exe (PID: 3472, MD5: 4DE78F999AE56C63667C37E912DA7310 AnalysisID: 39823 Similar Functions: 4)

Similar Functions

Function_0004E254 API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom, String ID: , Total Matches: 5751
Function_0004D2F4 API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom, String ID: , Total Matches: 5751
Function_0001C2D4 API ID: FindResourceLoadResourceLockResourceSizeofResource, String ID: , Total Matches: 4966
Function_0000EBCC API ID: GetThreadLocale, String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy, Total Matches: 3634
Function_0000D670 API ID: GetThreadLocale, String ID: eeee$ggg$yyyy, Total Matches: 3566
Function_00026564 API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC, String ID: , Total Matches: 3298
Function_000258EC API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject, String ID: , Total Matches: 3205
Function_0004155C API ID: DeleteMenu$EnableMenuItem$GetSystemMenu, String ID: , Total Matches: 3192
Function_0000FECC API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear, String ID: , Total Matches: 3189
Function_0000FECC API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear, String ID: , Total Matches: 3189
Function_00011444 API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear, String ID: , Total Matches: 3189
Function_0000FECC API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear, String ID: , Total Matches: 3189
Function_0000FECC API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear, String ID: , Total Matches: 3189
Function_0001016C API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy, String ID: , Total Matches: 3182
Function_0001016C API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy, String ID: , Total Matches: 3182
Function_000117E8 API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy, String ID: , Total Matches: 3182
Function_0001016C API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy, String ID: , Total Matches: 3182
Function_0001016C API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy, String ID: , Total Matches: 3182
Function_000442A8 API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint, String ID: , Total Matches: 3149
Function_000104F0 API ID: GetModuleHandle, String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE], Total Matches: 3143
Function_0000F4AC API ID: GetModuleHandleGetProcAddress, String ID: GetDiskFreeSpaceExA$[FILE], Total Matches: 3137
Function_0002E258 API ID: GetSystemMetrics, String ID: GetSystemMetrics, Total Matches: 3131
Function_000269DC API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette, String ID: , Total Matches: 3081
Function_00026060 API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC, String ID: , Total Matches: 3072
Function_000052FC API ID: GetStdHandleWriteFile$MessageBox, String ID: Error$Runtime error at 00000000, Total Matches: 3072
Function_00026178 API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC, String ID: , Total Matches: 3070
Function_00026210 API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable, String ID: , Total Matches: 3064
Function_000291D0 API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC, String ID: , Total Matches: 3060
Function_00028A00 API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable, String ID: , Total Matches: 3056
Function_00051458 API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC, String ID: , Total Matches: 3040
Function_00038710 API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu, String ID: , Total Matches: 3034
Function_0000C028 API ID: GetDateFormatGetThreadLocale, String ID: yyyy, Total Matches: 3032
Function_00056278 API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC, String ID: , Total Matches: 3025
Function_00058910 API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic, String ID: ,, Total Matches: 3020
Function_00043430 API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes, String ID: , Total Matches: 3003
Function_0002E71C API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect, String ID: EnumDisplayMonitors, Total Matches: 2989
Function_00044B1C API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx, String ID: , Total Matches: 2966
Function_000296E0 API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt, String ID: , Total Matches: 2962
Function_00044B90 API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject, String ID: , Total Matches: 2957
Function_00006A68 API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress, String ID: GetLongPathNameA$\$[FILE], Total Matches: 2934
Function_00028848 API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette, String ID: , Total Matches: 2913
Function_00006C2C API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen, String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales, Total Matches: 2899
Function_0003EC18 API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect, String ID: , Total Matches: 2896
Function_00044344 API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo, String ID: , Total Matches: 2886
Function_00021140 API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass, String ID: , Total Matches: 2877
Function_00066888 API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass, String ID: , Total Matches: 2877
Function_00034AE4 API ID: DrawTextOffsetRect$DrawEdge, String ID: , Total Matches: 2874
Function_0002E4A0 API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy, String ID: DISPLAY$GetMonitorInfo, Total Matches: 2853
Function_00006D38 API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen, String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales, Total Matches: 2843
Function_00045334 API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos, String ID: , Total Matches: 2678
Function_000328FC API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC, String ID: , Total Matches: 2670
Function_00034550 API ID: InsertMenu$GetVersionInsertMenuItem, String ID: ,$?, Total Matches: 2669
Function_0002F204 API ID: GetProcAddress$LoadLibrary, String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE], Total Matches: 2590
Function_0000D8AA API ID: GetModuleFileName$LoadStringVirtualQuery, String ID: , Total Matches: 2563
Function_0000D8AC API ID: GetModuleFileName$LoadStringVirtualQuery, String ID: , Total Matches: 2563
Function_00034924 API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu, String ID: , Total Matches: 2509
Function_00042C9C API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture, String ID: , Total Matches: 2310
Function_0002E408 API ID: GetSystemMetrics, String ID: MonitorFromPoint, Total Matches: 2190
Function_000389B4 API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC, String ID: , Total Matches: 2150
Function_00028B08 API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable, String ID: , Total Matches: 1987
Function_000282D0 API ID: GetWinMetaFileBitsMulDiv$GetDC, String ID: `, Total Matches: 1938
Function_0003804C API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo, String ID: P, Total Matches: 1778
Function_00054934 API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass, String ID: @, Total Matches: 1764
Function_0005D6E8 API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary, String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE], Total Matches: 1532
Function_00004BBF API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile, String ID: , Total Matches: 908
Function_000035C4 API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile, String ID: , Total Matches: 908
Function_000043BF API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile, String ID: , Total Matches: 908
Function_00028418 API ID: CopyEnhMetaFileGetClipboardDataGetEnhMetaFileHeader, String ID: , Total Matches: 804
Function_0002B438 API ID: GetDCGetTextMetricsReleaseDCSelectObject, String ID: , Total Matches: 789
Function_0005F5F8 API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile, String ID: , Total Matches: 462
Function_00006BE0 API ID: GetSystemDefaultLCID, String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy, Total Matches: 412
Function_000063E0 API ID: GetSystemDefaultLCID, String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy, Total Matches: 412
Function_00046524 API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage, String ID: , Total Matches: 329
Function_00004E2A API ID: ExitProcessMessageBox, String ID: Error$Runtime error at 00000000, Total Matches: 311
Function_0004D1B0 API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode, String ID: , Total Matches: 309
Function_00060AC0 API ID: GetProcAddress$GetModuleHandle, String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE], Total Matches: 300
Function_000462F4 API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode, String ID: , Total Matches: 293
Function_0002B47C API ID: MulDiv, String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma, Total Matches: 283
Function_0002A930 API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC, String ID: (, Total Matches: 272
Function_00005E44 API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError, String ID: , Total Matches: 271
Function_0000A404 API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError, String ID: , Total Matches: 271
Function_00005644 API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError, String ID: , Total Matches: 271
Function_000085D4 API ID: RegisterWindowMessage$SendMessage$FindWindow, String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ, Total Matches: 268
Function_0003B7D8 API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible, String ID: , Total Matches: 256
Function_00046834 API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow, String ID: (, Total Matches: 241
Function_000455EC API ID: ShowOwnedPopupsShowWindow$EnumWindows, String ID: , Total Matches: 230
Function_00045518 API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible, String ID: , Total Matches: 218
Function_0002B29C API ID: DeleteObject$GetIconInfoGetObject, String ID: , Total Matches: 214
Function_0002EB3C API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx, String ID: , Total Matches: 211
Function_00002820 API ID: MessageBox, String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown, Total Matches: 200
Function_0002EA7C API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow, String ID: OleMainThreadWndClass, Total Matches: 198
Function_00041160 API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor, String ID: , Total Matches: 196
Function_000564D0 API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx, String ID: , Total Matches: 190
Function_0000281E API ID: MessageBox, String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak, Total Matches: 190
Function_000031FC API ID: CharNext, String ID: $ $ $"$"$"$"$"$", Total Matches: 169
Function_00046070 API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow, String ID: , Total Matches: 165
Function_000458CC API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage, String ID: , Total Matches: 159
Function_0008DDE0 API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource, String ID: , Total Matches: 153
Function_0003F2B8 API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos, String ID: , Total Matches: 142
Function_00082028 API ID: DispatchMessageGetMessageTranslateMessage, String ID: , Total Matches: 124
Function_0008AEA8 API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken, String ID: , Total Matches: 122
Function_0003F914 API ID: SetMenu$GetMenuSetWindowPos, String ID: , Total Matches: 113
Function_0002473C API ID: CompareStringCreateFontIndirect, String ID: Default, Total Matches: 108
Function_0003E644 API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus, String ID: , Total Matches: 105
Function_000715B0 API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService, String ID: , Total Matches: 102
Function_0005944C API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC, String ID: , Total Matches: 99
Function_000658F4 API ID: VirtualFreeVirtualProtect, String ID: FinalizeSections: VirtualProtect failed, Total Matches: 91
Function_0008A070 API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken, String ID: SeShutdownPrivilege, Total Matches: 81
Function_00060DDC API ID: GetProcAddress$LoadLibrary, String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet, Total Matches: 77
Function_00042280 API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow, String ID: , Total Matches: 76
Function_000606CC API ID: gethostbynameinet_addr, String ID: %d.%d.%d.%d$0.0.0.0, Total Matches: 75
Function_00066038 API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree, String ID: , Total Matches: 74
Function_00065598 API ID: GetProcAddress$IsBadReadPtrLoadLibrary, String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library: , Total Matches: 72
Function_000714B8 API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService, String ID: , Total Matches: 71
Function_00065A0C API ID: VirtualAlloc$GetProcessHeapHeapAlloc, String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE, Total Matches: 70
Function_00004448 API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx, String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL, Total Matches: 63
Function_0006D36C API ID: ShellExecute, String ID: /k $[FILE]$open, Total Matches: 62
Function_0000A3AC API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime, String ID: , Total Matches: 51
Function_0002EC20 API ID: GetModuleHandleGetProcAddress, String ID: CoWaitForMultipleHandles$[FILE], Total Matches: 48
Function_00071640 API ID: CloseServiceHandleEnumServicesStatusOpenSCManager, String ID: , Total Matches: 47
Function_0005DAE0 API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage, String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32, Total Matches: 45
Function_0008A8AC API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject, String ID: D, Total Matches: 45
Function_00066D4C API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject, String ID: D, Total Matches: 45
Function_0002FA80 API ID: GetProcAddressLoadLibrary, String ID: DWMAPI.DLL$DwmIsCompositionEnabled, Total Matches: 41
Function_00084388 API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess, String ID: , Total Matches: 39
Function_000710F0 API ID: GetWindowShowWindow$FindWindowGetClassName, String ID: BUTTON$Shell_TrayWnd, Total Matches: 37
Function_0008A218 API ID: ShellExecuteEx, String ID: <$runas, Total Matches: 35
Function_000629C0 API ID: CoCreateInstance, String ID: <*I$L*I, Total Matches: 35
Function_000630C8 API ID: CoCreateInstance, String ID: <*I$L*I, Total Matches: 35
Function_0002F9E4 API ID: GetProcAddressLoadLibrary, String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea, Total Matches: 35
Function_0008AFE8 API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken, String ID: , Total Matches: 34
Function_00071850 API ID: CloseServiceHandle$CreateServiceOpenSCManager, String ID: Description$System\CurrentControlSet\Services\, Total Matches: 34
Function_0006F17C API ID: GetWindowPlacementGetWindowTextIsWindowVisible, String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True, Total Matches: 33
Function_0008C3E4 API ID: FreeLibraryGetProcAddressLoadLibrary, String ID: _DCEntryPoint, Total Matches: 32
Function_0008D3C4 API ID: GetVersionEx, String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP, Total Matches: 32
Function_0008DA48 API ID: Netbios, String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!, Total Matches: 32
Function_0008CF38 API ID: GetForegroundWindowGetWindowTextGetWindowTextLength, String ID: , Total Matches: 31
Function_0006E0DC API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue, String ID: , Total Matches: 31
Function_000840D8 API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken, String ID: , Total Matches: 30
Function_0006E3F0 API ID: SHGetPathFromIDListSHGetSpecialFolderLocation, String ID: .LNK, Total Matches: 30
Function_0008AC14 API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken, String ID: GetTokenInformation error$OpenProcessToken error, Total Matches: 30
Function_0006F3B8 API ID: GetWindowPlacementGetWindowText, String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive, Total Matches: 30
Function_00005026 API ID: UnhandledExceptionFilter, String ID: @$@, Total Matches: 29
Function_00005028 API ID: UnhandledExceptionFilter, String ID: @$@, Total Matches: 29
Function_0008B42C API ID: keybd_event, String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ, Total Matches: 29
Function_0008B908 API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken, String ID: Default$Full$Limited$unknow, Total Matches: 28
Function_0006E244 API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey, String ID: , Total Matches: 27
Function_0008C494 API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile, String ID: [FILE], Total Matches: 27
Function_00004B2E API ID: UnhandledExceptionFilter, String ID: @, Total Matches: 27
Function_00004C5A API ID: UnhandledExceptionFilter, String ID: @, Total Matches: 27
Function_00072C70 API ID: SetFileAttributes, String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts, Total Matches: 26
Function_0006F5E4 API ID: GetWindowPlacementGetWindowTextIsWindowVisible, String ID: ,, Total Matches: 26
Function_00085150 API ID: RegCloseKeyRegOpenKeyRegSetValueEx, String ID: Software\Microsoft\Windows\CurrentVersion\Run, Total Matches: 24
Function_00070B94 API ID: DragQueryFile$GlobalLockGlobalUnlock, String ID: , Total Matches: 22
Function_000754C4 API ID: GetModuleHandleGetProcAddress$CreateProcess, String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE], Total Matches: 21
Function_000314A0 API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData, String ID: , Total Matches: 21
Function_0008C91C API ID: GetVolumeInformation, String ID: %.4x:%.4x, Total Matches: 20
Function_000889F0 API ID: GetMonitorInfo, String ID: H$MONSIZE, Total Matches: 20
Function_0007EAEC API ID: CreateThreadDispatchMessageGetMessageTranslateMessage, String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow, Total Matches: 19
Function_00082320 API ID: CreateThreadExitThreadSleep, String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|, Total Matches: 19
Function_0006E724 API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo, String ID: , Total Matches: 19
Function_000827C4 API ID: CreateThreadExitThreadSleep, String ID: @$BTRESULTSyn Flood|Syn task finished!|, Total Matches: 19
Function_00072E88 API ID: inet_ntoa$WSAIoctlclosesocketsocket, String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP, Total Matches: 19
Function_00083858 API ID: CreateThreadExitThreadSleep, String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|, Total Matches: 19
Function_000221F0 API ID: RegQueryValueEx, String ID: ldA, Total Matches: 18
Function_000818F8 API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii, String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP], Total Matches: 18
EntryPoint API ID: CoInitialize, String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA, Total Matches: 18
Function_00074208 API ID: GetProcAddress$LoadLibrary, String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE], Total Matches: 17
Function_00088D70 API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject, String ID: image/jpeg, Total Matches: 17
Function_00074E20 API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject, String ID: DCPERSFWBP, Total Matches: 17
Function_0000F3A4 API ID: FindResourceLoadResource, String ID: 0PI$DVCLAL, Total Matches: 17
Function_00089580 API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage, String ID: COMSPEC$D, Total Matches: 17
Function_00081318 API ID: CreateThreadExitThread, String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\, Total Matches: 16
Function_00022188 API ID: RegSetValueEx, String ID: NoControlPanel$tdA, Total Matches: 16
Function_00082630 API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket, String ID: , Total Matches: 16
Function_0005E7B4 API ID: GetActiveObject, String ID: E, Total Matches: 16
Function_0008485C API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute, String ID: 200$Mozilla$open, Total Matches: 16
Function_00080880 API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket, String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll], Total Matches: 16
Function_00082E34 API ID: Sleep$CreateThreadExitThread, String ID: .255$127.0.0.1$LanList, Total Matches: 16
Function_00074F80 API ID: GetModuleHandleGetProcAddress$CreateProcess, String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE], Total Matches: 16
Function_0007F4E0 API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket, String ID: [.dll]$PLUGIN$QUICKUP, Total Matches: 16
Function_0001F7B4 API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection, String ID: 4PI, Total Matches: 16
Function_00049834 API ID: GetModuleHandleGetProcAddressImageList_Write, String ID: $qA$ImageList_WriteEx$[FILE]$[FILE], Total Matches: 16
Function_0000DA34 API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox, String ID: LPI, Total Matches: 16
Function_00086374 API ID: send, String ID: #KEEPALIVE#$AI, Total Matches: 15
Function_0008DD0C API ID: GlobalMemoryStatus, String ID: $%d%, Total Matches: 15
Function_00086094 API ID: DispatchMessagePeekMessageTranslateMessage, String ID: @^H, Total Matches: 15
Function_000801FC API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket, String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll], Total Matches: 15
Function_000821A0 API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket, String ID: , Total Matches: 15
Function_000843EC API ID: CloseHandleOpenProcess, String ID: ACCESS DENIED (x64), Total Matches: 15
Function_00088B18 API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors, String ID: DISPLAY$MONSIZE0x0x0x0, Total Matches: 15
Function_00062C84 API ID: CoCreateInstance, String ID: )I$,*I$\)I$l)I$|*I, Total Matches: 15
Function_00089244 API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket, String ID: AI$DATAFLUX, Total Matches: 15
Function_00073208 API ID: inet_ntoa$WSAIoctlclosesocketsocket, String ID: , Total Matches: 15
Function_00073448 API ID: InternetConnectInternetOpen, String ID: 84G$DCSC, Total Matches: 15
Function_00085954 API ID: DeleteFile$BeepMessageBox, String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt, Total Matches: 15
Function_0007FA8C API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket, String ID: THUMB, Total Matches: 15
Function_00044D60 API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar, String ID: 08B$0PI$8PI$MAINICON$\tA, Total Matches: 14
Function_000450B4 API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong, String ID: LPI$PMD, Total Matches: 14
Function_00021808 API ID: RegCloseKeyRegCreateKeyEx, String ID: ddA, Total Matches: 14
Function_00086210 API ID: recvsend, String ID: EndReceive, Total Matches: 14
Function_0002E370 API ID: GetWindowPlacementGetWindowRectIsIconic, String ID: MonitorFromWindow$pB, Total Matches: 14
Function_0002E574 API ID: GetSystemMetrics$SystemParametersInfolstrcpy, String ID: DISPLAY$GetMonitorInfoA$tB, Total Matches: 14
Function_00086918 API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket, String ID: , Total Matches: 14
Function_00074D58 API ID: VirtualAllocExWriteProcessMemory, String ID: DCPERSFWBP$[FILE], Total Matches: 14
Function_00086E2C API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket, String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|, Total Matches: 14
Function_0007EE3C API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes, String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open, Total Matches: 14
Function_00080F70 API ID: GetForegroundWindowGetWindowTextGetWindowTextLength, String ID: 3 H, Total Matches: 13
Function_00081ED8 API ID: GetModuleHandleSetWindowsHookEx, String ID: 3 H$dclogs\, Total Matches: 13
Function_0008851C API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket, String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL, Total Matches: 13
Function_0008317C API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket, String ID: AI$DATAFLUX, Total Matches: 13
Function_00021F68 API ID: RegQueryValueEx, String ID: n"B, Total Matches: 12
Function_0002E2E0 API ID: GetSystemMetrics, String ID: B$MonitorFromRect, Total Matches: 12
Function_00048CDC API ID: ImageList_Draw$ImageList_GetImageCount, String ID: 6B, Total Matches: 12
Function_00046EDC API ID: GetCurrentThreadIdSetTimerWaitMessage, String ID: 4PI$TfD, Total Matches: 12
Function_00031584 API ID: GetClipboardDataGlobalLockGlobalUnlock, String ID: 3 H, Total Matches: 12
Function_00031630 API ID: EnumClipboardFormatsGetClipboardData, String ID: 84B, Total Matches: 12
Function_0008298C API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket, String ID: PortScanAdd$T)H, Total Matches: 11
Function_00084B30 API ID: Sleep, String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess, Total Matches: 11
Function_000836D8 API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket, String ID: POST /index.php/1.0Host: , Total Matches: 11
Function_000878A4 API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc, String ID: , Total Matches: 11
Function_0008E06C API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory, String ID: #32770$SysListView32$d"H, Total Matches: 10
Function_0002E648 API ID: GetSystemMetrics$SystemParametersInfolstrcpy, String ID: DISPLAY$GetMonitorInfoW$HB, Total Matches: 10
Function_00048A94 API ID: BitBltImageList_DrawExSetBkColorSetTextColor, String ID: 6B, Total Matches: 10
Function_00082B34 API ID: ExitThread$CreateThreadLocalAllocSleep, String ID: p)H, Total Matches: 10
Function_00083468 API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl, String ID: Times.$[.exe]$H4H$myappname, Total Matches: 10
Function_00087488 API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket, String ID: FpH, Total Matches: 10
Function_000319C4 API ID: EnumClipboardFormats, String ID: 84B, Total Matches: 10
Function_000556F4 API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent, String ID: zC, Total Matches: 9
Function_0008CFB4 API ID: capGetDriverDescription, String ID: - , Total Matches: 8
Function_00075E2C API ID: send, String ID: AI, Total Matches: 7
Function_000865E0 API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket, String ID: AI$`cH, Total Matches: 6
Function_000028CC API ID: RtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: (&, Total Matches: 5
Function_00002C40 API ID: RtlEnterCriticalSectionRtlLeaveCriticalSection, String ID: (&, Total Matches: 5
Function_0001239C API ID: GetWindowsDirectory, String ID: \pagefile.sys$\user.dat, Total Matches: 3
Function_00012D78 API ID: GetModuleHandleGetProcAddressLoadLibrary, String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point , Total Matches: 3
Function_0008FA10 API ID: Sleep$CopyFileCreateThreadExitProcess$GetLastErrorMessageBoxSetLastErrorShellExecute, String ID: at $" +s +h$,xI$AI$BIND$CHANGEDATE$CHIDED$CHIDEF$COMBOPATH$DCMUTEX$DIRATTRIB$EDTDATE$EDTPATH$FAKEMSG$[.dll]$FWB$GENCODE$Guest$INSTALL$KEYNAME$MELT$MSGCORE$MSGICON$MSGTITLE$MULTIBIND$MULTIPLUGS$MUTEX$NETDATA$OVDNS$PDNS$PERS$PERSINST$PLUGS$SH1$SH10$SH3$SH4$SH5$SH6$SH7$SH8$SH9$SID$attrib "$notepad$open, Total Matches: 3
Function_00011B9C API ID: GetWindowsDirectory, String ID: \pagefile.sys$\user.dat, Total Matches: 3
Function_00012578 API ID: GetModuleHandleGetProcAddressLoadLibrary, String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point , Total Matches: 3

Process Name: DOC000YUT090.exe Analysis ID: 45352

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	68DD38B9F0BBC16EF985BEA78DBFDE51
Total matches:	8
Initial Analysis Report:	Open
Initial sample Analysis ID:	45352
Initial sample SHA 256:	2778DDF8E45C6C9E6D469B7D99EEBB0E063CD2F6B6608956B706EE321FCA8B18
Initial sample name:	DOC000YUT090.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 374d9dd26f67b2af22a0538d7f29c8ef81b705e1e98b4e3222a250c5e3dff31c
Instruction ID: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c
Opcode Fuzzy Hash: 3401249833CA4267CA2764552DD132610E2DB13D02CCE63628E35372FF1D04114EF21F
Instruction Fuzzy Hash: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c

APIs

LoadLibraryA.KERNEL32(?), ref: 0034FD9B
GetProcAddress.KERNEL32(?,?,00000000,0034FEDD), ref: 0034FDAB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,0034FEDD), ref: 0034FDCF

Strings

The ordinal , xrefs: 0034FE07
could not be located in the dynamic link library , xrefs: 0034FE2D, 0034FE8A
LOADER ERROR, xrefs: 0034FE58, 0034FEB5
KERNEL32.DLL, xrefs: 0034FDCA
The procedure entry point , xrefs: 0034FE64

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: f6e7fbb2de961054de8c286702b65a8bd3d6366e9b32350c5a3c5fc114766212
Instruction ID: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7
Opcode Fuzzy Hash: 2CF0BE572BA0E5EF8002B3450C8266D04B44B42878C943B76CA79366F52966C54DE18E
Instruction Fuzzy Hash: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0034F4B1), ref: 0034F3DF

Part of subcall function 003439A4: GetLocalTime.KERNEL32(?), ref: 003439AC

Strings

\user.dat, xrefs: 0034F42A
\pagefile.sys, xrefs: 0034F45E

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: Po_No_6111875-22.exe Analysis ID: 46407

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	5FF9678FCE561E1942FD09B7FDFA23A1
Total matches:	8
Initial Analysis Report:	Open
Initial sample Analysis ID:	46407
Initial sample SHA 256:	DB93037951961559422B17BC7FC3D74FD06C9D3ECEAEBE8395515E16CF2A6ED4
Initial sample name:	Po_No_6111875-22.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 374d9dd26f67b2af22a0538d7f29c8ef81b705e1e98b4e3222a250c5e3dff31c
Instruction ID: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c
Opcode Fuzzy Hash: 3401249833CA4267CA2764552DD132610E2DB13D02CCE63628E35372FF1D04114EF21F
Instruction Fuzzy Hash: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c

APIs

LoadLibraryA.KERNEL32(?), ref: 0034FD9B
GetProcAddress.KERNEL32(?,?,00000000,0034FEDD), ref: 0034FDAB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,0034FEDD), ref: 0034FDCF

Strings

The ordinal , xrefs: 0034FE07
could not be located in the dynamic link library , xrefs: 0034FE2D, 0034FE8A
LOADER ERROR, xrefs: 0034FE58, 0034FEB5
KERNEL32.DLL, xrefs: 0034FDCA
The procedure entry point , xrefs: 0034FE64

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: f6e7fbb2de961054de8c286702b65a8bd3d6366e9b32350c5a3c5fc114766212
Instruction ID: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7
Opcode Fuzzy Hash: 2CF0BE572BA0E5EF8002B3450C8266D04B44B42878C943B76CA79366F52966C54DE18E
Instruction Fuzzy Hash: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0034F4B1), ref: 0034F3DF

Part of subcall function 003439A4: GetLocalTime.KERNEL32(?), ref: 003439AC

Strings

\user.dat, xrefs: 0034F42A
\pagefile.sys, xrefs: 0034F45E

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: 71exact replicas of the pictures.scr Analysis ID: 355875

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	2CA36B311F65211EDD9440E953C7824D
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	355875
Initial sample SHA 256:	6CD54C07CBA11E93454E741275DAF57A6AA4312B3F0CC48F73E09985C8488E1A
Initial sample name:	71exact replicas of the pictures.scr

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 374d9dd26f67b2af22a0538d7f29c8ef81b705e1e98b4e3222a250c5e3dff31c
Instruction ID: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c
Opcode Fuzzy Hash: 3401249833CA4267CA2764552DD132610E2DB13D02CCE63628E35372FF1D04114EF21F
Instruction Fuzzy Hash: 324b6a07643041bd4dee5b61fdaa700d57efcd94cab6d8ea9ddc0bc8d1368b0c

APIs

LoadLibraryA.KERNEL32(?), ref: 0034FD9B
GetProcAddress.KERNEL32(?,?,00000000,0034FEDD), ref: 0034FDAB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,0034FEDD), ref: 0034FDCF

Strings

The ordinal , xrefs: 0034FE07
could not be located in the dynamic link library , xrefs: 0034FE2D, 0034FE8A
LOADER ERROR, xrefs: 0034FE58, 0034FEB5
KERNEL32.DLL, xrefs: 0034FDCA
The procedure entry point , xrefs: 0034FE64

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: f6e7fbb2de961054de8c286702b65a8bd3d6366e9b32350c5a3c5fc114766212
Instruction ID: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7
Opcode Fuzzy Hash: 2CF0BE572BA0E5EF8002B3450C8266D04B44B42878C943B76CA79366F52966C54DE18E
Instruction Fuzzy Hash: 5c54033fe22f2907980b2ea675aec0e8912a9982c326d76782163ec1da876bf7

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0034F4B1), ref: 0034F3DF

Part of subcall function 003439A4: GetLocalTime.KERNEL32(?), ref: 003439AC

Strings

\user.dat, xrefs: 0034F42A
\pagefile.sys, xrefs: 0034F45E

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: VTfIxABUKQX.exe Analysis ID: 37961

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: window-on-top.tmp Analysis ID: 70878

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	90FC739C83CD19766ACB562C66A7D0E2
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	70878
Initial sample SHA 256:	234942ED1DC29A6A4FBEED97E3967DF28C774B6FB6CA49CC1C51AB03EE3FADEF
Initial sample name:	crestron_usbdriver_w10_module_2.01.527.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: AnalyticsEdgeBasicInstaller.tmp Analysis ID: 66606

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	832DAB307E54AA08F4B6CDD9B9720361
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	66606
Initial sample SHA 256:	CC72C28B826CC388CDEA083AD75787249BBCAEB9F1C6C11477B8E9EAF3178878
Initial sample name:	AnalyticsEdgeBasicInstaller.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: pdf-to-xml.tmp Analysis ID: 67877

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	2C10DB017057DCE22651243244E4FEE6
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	67877
Initial sample SHA 256:	B390886D73AA1043C90C436D8E345543BAA5D32056196E685D61DBA0B7E4DFCB
Initial sample name:	pdf-to-xml.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: VeriCoin_1.7.1_64bit.tmp Analysis ID: 73141

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	832DAB307E54AA08F4B6CDD9B9720361
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	73141
Initial sample SHA 256:	1EFE36BA4E1A61E43657CE8407C73C9F2BBD1838B82F615E9A281D9899880276
Initial sample name:	setup_5_4_5_3.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: sevnz.exe Analysis ID: 37961

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: drivermax_9_14_cnet.tmp Analysis ID: 29247

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	AB126F7F9FF2E7902FF2BBDC1A6D3158
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	29247
Initial sample SHA 256:	4621B64A0948B5E2B76191627C24218D311ABA0B5E8878C31727E99C40337E66
Initial sample name:	drivermax_9_14_cnet.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: hbBX0y0z51.tmp Analysis ID: 59014

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	1305181DE520F125AEABF85DC24A89D6
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	59014
Initial sample SHA 256:	60503ED957F12E6D2588C59647BBC25883ED75C008BC5201557FA21EDAE67956
Initial sample name:	hbBX0y0z51.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: Processo_MPF_0008837353_2014_9_07_90182798772.exe Analysis ID: 31598

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	E1C1EA4A105FBE869EC64AA457C252EB
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	31598
Initial sample SHA 256:	4B056610FE5BAD681089B105CD42BD618470877DCB46E70C2754461612A6DB5C
Initial sample name:	Processo_MPF_0008837353_2014_9_07_90182798772.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: GoogleChromeSetup.MAL.exe Analysis ID: 60523

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	863253EC95D89B918DAAF1FBE154F173
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	60523
Initial sample SHA 256:	4C10BF1FEDE400732E0EC4E9A02FE26EAE624CF9B2758659F9E37437BB7CE998
Initial sample name:	GoogleChromeSetup.MAL.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: GoogleChromeSetup.MAL.exe Analysis ID: 60523

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	863253EC95D89B918DAAF1FBE154F173
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	60523
Initial sample SHA 256:	4C10BF1FEDE400732E0EC4E9A02FE26EAE624CF9B2758659F9E37437BB7CE998
Initial sample name:	GoogleChromeSetup.MAL.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: data.exe Analysis ID: 32007

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: maildetective2.tmp Analysis ID: 43154

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	E9F663D8D3671AE8761945502120E385
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	43154
Initial sample SHA 256:	61D49A0F4F9813FB46FE413A2D34337860B72C2DFECE5CB6D860E91B1ED93598
Initial sample name:	maildetective2.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: New Purchase Order No.0567.exe Analysis ID: 64048

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	76E104EBA0BB25DA3B345C6F351BAF42
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	64048
Initial sample SHA 256:	8D88DAFBDE4072958A6B433F70F0131D88D8579B0A43EEADCB50B8E006ED8116
Initial sample name:	New Purchase Order No.056.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: PDFCreator-1_7_0_setup.tmp Analysis ID: 46275

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	A2C4D52C66B4B399FACADB8CC8386745
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	46275
Initial sample SHA 256:	4F4ED42E40856D8E347C97B68747BD6E89932DE752B25C6A903BB3467B535881
Initial sample name:	PDFCreator-1_7_0_setup.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: Open OfficeSetup.Exe Analysis ID: 53419

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	03EC92CFA1B6B076ACB82E4E8D49D90C
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	53419
Initial sample SHA 256:	8F16F6C9FAE7EADD0DA68A1AA5BE76EE68234AD3766A3C94E21EB257B0295925
Initial sample name:	Open OfficeSetup.Exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: SteamHelper.tmp Analysis ID: 49640

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	CD1F291594F75DE800B26457C76B04B0
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	49640
Initial sample SHA 256:	414BC2153F5AAB78B2FF9CC0FC9BC2951CF28FDBF0DB01A8420F6FF7E3088367
Initial sample name:	SteamHelper.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: FPaukxOmd8.tmp Analysis ID: 41220

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	9303156631EE2436DB23827E27337BE4
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	41220
Initial sample SHA 256:	7621557FA2B22B8B44F5C2B40EA0348AEA15FD55BA5E113755FE3D7B68246659
Initial sample name:	FPaukxOmd8.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: RFQ-857369 {Draft copy}.exe Analysis ID: 71697

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	028D4FD059E8A0F2F9E8C1635D036E2A
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	71697
Initial sample SHA 256:	EB95BF9222CAEE7FBB65B2780A0C48DCB076196D75EFBBE1D1D677BB516C8069
Initial sample name:	1.doc

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: WRMNLzRmzr.tmp Analysis ID: 51259

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	832DAB307E54AA08F4B6CDD9B9720361
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	51259
Initial sample SHA 256:	3BEC35909514FB5D0901F7566784C25337E9A0F31DB87DD7E04E0DEA9480527E
Initial sample name:	WRMNLzRmzr.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: darkcomet.exe Analysis ID: 41363

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	5A790B57A083A6B0FDDC5BACBBBD95DE
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	41363
Initial sample SHA 256:	3C9E853D9D3924C45DD8C5CB92F002422E6151FAE739E53DB26C4945D4463876
Initial sample name:	darkcomet.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: SCAN00GOG0900.exe Analysis ID: 48661

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	F51025B7377A6E1195B92C43C02AE280
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	48661
Initial sample SHA 256:	3BC676885FCB24D6743D5EC70E405FFB4A45DC1CA41F7FCEC4863E719DCE69B3
Initial sample name:	SCAN00GOG090.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: K9tdOxcj76.exe Analysis ID: 38384

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	624023448A39E6EADB9F7722FAE2DCD3
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	38384
Initial sample SHA 256:	B111124CED4570DF72CEFD1B5D0D1AFC1F1DAE7DB1319C4E720F52C23B76C0AD
Initial sample name:	K9tdOxcj76.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: CSmGZuzOw3.tmp Analysis ID: 516917

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	D8CA4D5DF2DC54CA72DD9DBDE47BC3BB
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	516917
Initial sample SHA 256:	A9E1C3B11F4F038E466F1C8A773833DC7BA76229B66C58EB66F256DE78EB8B84
Initial sample name:	CSmGZuzOw3.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: 0b2a94106f14f21246a8020f17f5793e071d15a549715edb9bd713bfd3a1d27b
Instruction ID: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf
Opcode Fuzzy Hash: 3721B81DA69482B3C4075ADC18C07A594B59F1B139DC8C7C005BE6AAE12F56200FBF7B
Instruction Fuzzy Hash: e581ec676e52e876d52da9d9b13036f560e888687d5d3984d165bec5bfb65baf

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00343E28,?,?,?,?,00000000,00000000,00000000), ref: 00343BFA

Part of subcall function 00343A28: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00343A46

Part of subcall function 00343A74: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00343C76,00000000,00343E28,?,?,?,?,00000000), ref: 00343A87

Strings

:mm:ss, xrefs: 00343DF6
m/d/yy, xrefs: 00343CC9
mmmm d, yyyy, xrefs: 00343CEB
:mm, xrefs: 00343DDC
AMPM, xrefs: 00343DC5

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Similarity

Total matches: 311
API ID: ExitProcessMessageBox
String ID: Error$Runtime error at 00000000
API String ID: 1741372891-2970929446
Opcode ID: 3e816442c36023f9d805a67b313c24a94589eddd51cb7c2941cce55a9939b3f4
Instruction ID: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a
Opcode Fuzzy Hash: 68F0C0D142565741F46761105BA0293442457C263DEE4230D041D6B4DCB74F340EF3EF
Instruction Fuzzy Hash: 87186ae28839d5083514ec0ff23b261232dce001b7c620935dcecaa69dc8621a

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00341EC5

Part of subcall function 0033F94C: RtlEnterCriticalSection.NTDLL(`0), ref: 0033F979
Part of subcall function 0033F94C: LocalFree.KERNEL32(00360F80,00000000,0033FA24), ref: 0033F98B
Part of subcall function 0033F94C: VirtualFree.KERNEL32(013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9AA
Part of subcall function 0033F94C: LocalFree.KERNEL32(003625D0,013E0000,00000000,00008000,00360F80,00000000,0033FA24), ref: 0033F9E9
Part of subcall function 0033F94C: RtlLeaveCriticalSection.NTDLL(`0), ref: 0033FA14
Part of subcall function 0033F94C: RtlDeleteCriticalSection.NTDLL(`0), ref: 0033FA1E

ExitProcess.KERNEL32 ref: 00341F0D

Strings

Runtime error at 00000000, xrefs: 00341EBE, 00341ED1
Error, xrefs: 00341EB9

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Process Name: darkcomet-irixo.exe.exe Analysis ID: 58114

General

Root Process Name:	DOC000YUT600.exe
Process MD5:	4716314D197F0B5485AEA5142842E06C
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	58114
Initial sample SHA 256:	4FB60E4BD29B1747F5D232E01136F5699AB5C789C654B0808A8E44D3CBF432D9
Initial sample name:	darkcomet-irixo.exe.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 205e8a568885d6c2d543e15cd56036bed714d8061a7c91d32e7eb5ea51b892db
Instruction ID: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605
Opcode Fuzzy Hash: 4901684132C992A7E0AF278089F0BD12048BB0FB48C54CF512284749F8AB25A27CBF0D
Instruction Fuzzy Hash: f7547db3e9c123dc0f418f6d8362cf820f88acb5594dc9f1079380e764575605

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00341C46
GetFileSize.KERNEL32(?,00000000), ref: 00341C6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 00341C86
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 00341CA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00341CD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00341CDA
GetStdHandle.KERNEL32(000000F5), ref: 00341CFA
GetFileType.KERNEL32 ref: 00341D11
CloseHandle.KERNEL32 ref: 00341D2C
GetLastError.KERNEL32(000000F5), ref: 00341D46

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000001.00000002.425442085.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.425433026.00400000.00000002.sdmp
Associated: 00000001.00000002.425672453.00499000.00000008.sdmp
Associated: 00000001.00000002.425680765.004A4000.00000008.sdmp
Associated: 00000001.00000002.425739783.004C3000.00000008.sdmp
Associated: 00000001.00000002.426892348.00614000.00000004.sdmp
Associated: 00000001.00000002.426904799.00616000.00000008.sdmp

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 00342E54
GetLastError.KERNEL32(?,?), ref: 00342E5D
FileTimeToLocalFileTime.KERNEL32(?), ref: 00342E71
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00342E80

Memory Dump Source

Source File: 00000001.00000003.419010716.0033D000.00000004.sdmp, Offset: 0033D000, based on PE: false

Process Name: window-on-top.tmp Analysis ID: 70878

General

Root Process Name:	regdrv.exe
Process MD5:	90FC739C83CD19766ACB562C66A7D0E2
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	70878
Initial sample SHA 256:	234942ED1DC29A6A4FBEED97E3967DF28C774B6FB6CA49CC1C51AB03EE3FADEF
Initial sample name:	crestron_usbdriver_w10_module_2.01.527.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: Hsksdycn.exe Analysis ID: 37311

General

Root Process Name:	regdrv.exe
Process MD5:	EEC006D47C4E68C91A6943F86A58ABBA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37311
Initial sample SHA 256:	A4D39395175CAE45FA61490507FC6D20E6BA5529E75551BBC0CBA712F06785C7
Initial sample name:	Hsksdycn.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 58DHL Shipment Doc# 070881019.exe Analysis ID: 38736

General

Root Process Name:	regdrv.exe
Process MD5:	84F29ADF5A558248B2F8CDD64ACA919C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38736
Initial sample SHA 256:	CD4D5779616ABCDA8CB8AD4743C4E8411CC46F4414B02948D2329E05870F4C73
Initial sample name:	58DHL Shipment Doc# 070881019.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 47PAYMENT.exe Analysis ID: 38767

General

Root Process Name:	regdrv.exe
Process MD5:	3CF908E5EE436FDF3D2B780400866C7D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38767
Initial sample SHA 256:	46954E2B964858B303E9D4DF04251E614CBC4D69E43206ABF532EF8DA23CB5C0
Initial sample name:	47PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 37statement of account.exe Analysis ID: 37467

General

Root Process Name:	regdrv.exe
Process MD5:	151AB14A9FAE18D9DF3E040F213BFA1C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37467
Initial sample SHA 256:	7EE2343156522F16C12ABC8C0F2741BA87F20211B27153FB637C7C20D439FC71
Initial sample name:	37statement of account.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 74ASVfdWjgISVfdWjgI.exe Analysis ID: 37665

General

Root Process Name:	regdrv.exe
Process MD5:	DB3C2D77BD50E0CD6B441BCC9DDF0712
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37665
Initial sample SHA 256:	00EDB83FCCCAB0FE4ED0036AC8BA5699FDF840A63645D60DB71419CB62112013
Initial sample name:	74ASVfdWjgISVfdWjgI.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 31SIMREG INCENTIVE BREAKDOWN.xlsx.exe Analysis ID: 40080

General

Root Process Name:	regdrv.exe
Process MD5:	5D34E72A2C6BF15D7003F2942D1F8B63
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40080
Initial sample SHA 256:	44EC55D01DB8CC10489808865BF3E8C727B0F95665C788252129C48730E03C9D
Initial sample name:	31SIMREG INCENTIVE BREAKDOWN.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: Agreement_pdf.exe Analysis ID: 363512

General

Root Process Name:	regdrv.exe
Process MD5:	77D378763AC0444A9F767F446772A479
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	363512
Initial sample SHA 256:	79B6602549F608FA333C2938B802D1D095145BE3B6C55F14F552532F94D264ED
Initial sample name:	Agreement_pdf.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 17Invoice.exe Analysis ID: 37668

General

Root Process Name:	regdrv.exe
Process MD5:	0D8926429A27363F3994D09184572666
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37668
Initial sample SHA 256:	75BA0C30FD89BC752E13D2662200683788DCC5E7C30D6A983507C93D4087BB6D
Initial sample name:	17Invoice.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: data.exe Analysis ID: 46942

General

Root Process Name:	regdrv.exe
Process MD5:	1D8830D54E8E8F210792188C07C5E83A
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	46942
Initial sample SHA 256:	42681CBBD2B31A9C2D89D875858C9B24F72B2D836C9E1711ECB82F8399ABE6EC
Initial sample name:	data.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: VTfIxABUKQX.exe Analysis ID: 37961

General

Root Process Name:	regdrv.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 69NEW DAWN STAFF DRESS.xlsx.exe Analysis ID: 39704

General

Root Process Name:	regdrv.exe
Process MD5:	EAD2C482D0C82A21372F969C61302C31
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39704
Initial sample SHA 256:	3945612F0C356BD35F79F669EBC69D8D7DEDBB283031DF73BE1DC8875223B870
Initial sample name:	69NEW DAWN STAFF DRESS.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: dYdRqZwo.exe Analysis ID: 40080

General

Root Process Name:	regdrv.exe
Process MD5:	5D34E72A2C6BF15D7003F2942D1F8B63
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40080
Initial sample SHA 256:	44EC55D01DB8CC10489808865BF3E8C727B0F95665C788252129C48730E03C9D
Initial sample name:	31SIMREG INCENTIVE BREAKDOWN.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 71Payment.jpg............exe Analysis ID: 38833

General

Root Process Name:	regdrv.exe
Process MD5:	0742CE86C683E9483BDF448B38BF2664
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38833
Initial sample SHA 256:	63461ECF4510F3D25CFE5EB91490E75A104E2226DD51C233B36146208ABDF134
Initial sample name:	71Payment.jpg...........exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: OHyCCfZu.exe Analysis ID: 46942

General

Root Process Name:	regdrv.exe
Process MD5:	1D8830D54E8E8F210792188C07C5E83A
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	46942
Initial sample SHA 256:	42681CBBD2B31A9C2D89D875858C9B24F72B2D836C9E1711ECB82F8399ABE6EC
Initial sample name:	data.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: FuVDbcfS.exe Analysis ID: 39246

General

Root Process Name:	regdrv.exe
Process MD5:	D92C4AE32F8DE6EBC6FC4E855E7B66AA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39246
Initial sample SHA 256:	0439E980D0A0D83D4DF8B55CCA3B5FFE2735FD92BE7589BB90E8C449F187D7BC
Initial sample name:	37Hua Hang Shipping & Trading.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: XbNQXwEL.exe Analysis ID: 39695

General

Root Process Name:	regdrv.exe
Process MD5:	1C319E894D3BF7D381D3EAC736FD5502
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39695
Initial sample SHA 256:	E66FEF46C6DB1173CE716E35636ED5BD7E18223B8B8793654CB986B37D2E241D
Initial sample name:	36Invoice 0.96067400.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: nVndEfAi.exe Analysis ID: 40506

General

Root Process Name:	regdrv.exe
Process MD5:	DDF37EB620C66DE4AF7017BB5DB95893
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40506
Initial sample SHA 256:	AB08ADC286B8AD4F9050172FE2C9241E5E5BE5D192A33B9B7A0222D157CCCF1F
Initial sample name:	4920171219_KYC Form for SIM Registration Partners.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 58REMITTANCE COPY_BALANCE PAYMENT.exe Analysis ID: 40041

General

Root Process Name:	regdrv.exe
Process MD5:	4030BA83FBC48E2F007FAE34829897E9
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40041
Initial sample SHA 256:	543E8D26F66D0A01120867A47A0156C4ABD119207524A84FFA0D54584E1F5C35
Initial sample name:	58REMITTANCE COPY_BALANCE PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: xPtlWgvn.exe Analysis ID: 39827

General

Root Process Name:	regdrv.exe
Process MD5:	AAD08C4F7D96A5986BA7941AC8336FD3
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39827
Initial sample SHA 256:	1EF918A065242F2DBA0FE9F1C89027E599A9FFFF13447EB44AB7C4BB638D3B46
Initial sample name:	Payment Advice.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 36PAYMENT.exe Analysis ID: 38663

General

Root Process Name:	regdrv.exe
Process MD5:	367A5392D23C0C007DD8E71DBB8B1EE7
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38663
Initial sample SHA 256:	EE7BF223A48D51F8E5218F80559995999E80F2B6B6A386D2C79A2ED378DD5FC8
Initial sample name:	36PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: vUCGyPcV.exe Analysis ID: 39127

General

Root Process Name:	regdrv.exe
Process MD5:	C0EAF6EBE3AF1A42B8C9911F92714FE4
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39127
Initial sample SHA 256:	BC9F1162F4EDB1024CB9BDB26282A2C55CBA24D07F498D45DFDE02FB583D969E
Initial sample name:	13MTN TP November airtime performance Bonus.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	regdrv.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: EwKNSDWB.exe Analysis ID: 36631

General

Root Process Name:	regdrv.exe
Process MD5:	AADEF13F05E9E17B79EC50FB9665593B
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	36631
Initial sample SHA 256:	AD3521749277150F5E94AA42A9557802A6D2D8388449631A4A82D8139DA2ACB3
Initial sample name:	41Agreement of Sale Document.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 69IMG00002.exe Analysis ID: 41839

General

Root Process Name:	regdrv.exe
Process MD5:	BFB80626BE700A621CABDFF267B6ED2E
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	41839
Initial sample SHA 256:	3676DF4237CC2F2DD196154BF6ACD3449CF14C1A2CCB3FC681D7CAFCAA53225A
Initial sample name:	69IMG00002.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 38Payment.exe Analysis ID: 38217

General

Root Process Name:	regdrv.exe
Process MD5:	ABDD63CC62905D29A7D3D42AD83688CF
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38217
Initial sample SHA 256:	738FB112260CE4F5A03EE506A63ACA80A567CA228D2B5AF246D0602756025526
Initial sample name:	38Payment.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: 13MTN TP November airtime performance Bonus.pdf.exe Analysis ID: 39127

General

Root Process Name:	regdrv.exe
Process MD5:	C0EAF6EBE3AF1A42B8C9911F92714FE4
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39127
Initial sample SHA 256:	BC9F1162F4EDB1024CB9BDB26282A2C55CBA24D07F498D45DFDE02FB583D969E
Initial sample name:	13MTN TP November airtime performance Bonus.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: data.exe Analysis ID: 32007

General

Root Process Name:	regdrv.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: RAZBvEJG.exe Analysis ID: 36867

General

Root Process Name:	regdrv.exe
Process MD5:	38F778B7F5D646D294E9ACC754648AAA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	36867
Initial sample SHA 256:	412863E767B5806B13EB38798FDB024C470A60B411E977019516FDD02F72071F
Initial sample name:	41Week 45_SIMReg Server Report.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: fggCPClP.exe Analysis ID: 39823

General

Root Process Name:	regdrv.exe
Process MD5:	4DE78F999AE56C63667C37E912DA7310
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39823
Initial sample SHA 256:	4ADE58BE4BFF31D154B51B92A6C6C8F9B849A4787C74635CDEB56350DCE62009
Initial sample name:	69S&D 7-8-9Dec.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000002.00000002.451222330.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.451212243.00400000.00000002.sdmp
Associated: 00000002.00000002.451327316.00499000.00000008.sdmp
Associated: 00000002.00000002.451336597.004A4000.00000008.sdmp
Associated: 00000002.00000002.451363863.004C3000.00000008.sdmp
Associated: 00000002.00000002.451611285.00614000.00000004.sdmp
Associated: 00000002.00000002.451621919.00616000.00000008.sdmp

Process Name: SCAN00GOG0900.exe Analysis ID: 48661

General

Root Process Name:	regdrv.exe
Process MD5:	F51025B7377A6E1195B92C43C02AE280
Total matches:	232
Initial Analysis Report:	Open
Initial sample Analysis ID:	48661
Initial sample SHA 256:	3BC676885FCB24D6743D5EC70E405FFB4A45DC1CA41F7FCEC4863E719DCE69B3
Initial sample name:	SCAN00GOG090.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: darkcomet-irixo.exe.exe Analysis ID: 58114

General

Root Process Name:	regdrv.exe
Process MD5:	4716314D197F0B5485AEA5142842E06C
Total matches:	232
Initial Analysis Report:	Open
Initial sample Analysis ID:	58114
Initial sample SHA 256:	4FB60E4BD29B1747F5D232E01136F5699AB5C789C654B0808A8E44D3CBF432D9
Initial sample name:	darkcomet-irixo.exe.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: IMG-FILE-093298393840933-09208438039039-023outputA4DB4EF.exe Analysis ID: 69994

General

Root Process Name:	regdrv.exe
Process MD5:	88E0BC064945FA01C3B2745AC3633836
Total matches:	229
Initial Analysis Report:	Open
Initial sample Analysis ID:	69994
Initial sample SHA 256:	B92FDDBC957300AD83902F2A5D78ED7A0258AF765471BC40F9ACEEDD40A37EEA
Initial sample name:	IMG-FILE-093298393840933-09208438039039-023outputA4DB4EF.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048FA10, Relevance: 104.0, APIs: 13, Strings: 46, Instructions: 713 Total matches: 3sleepfilethread

Similarity

Total matches: 3
API ID: Sleep$CopyFileCreateThreadExitProcess$GetLastErrorMessageBoxSetLastErrorShellExecute
String ID: at $" +s +h$,xI$AI$BIND$CHANGEDATE$CHIDED$CHIDEF$COMBOPATH$DCMUTEX$DIRATTRIB$EDTDATE$EDTPATH$FAKEMSG$[.dll]$FWB$GENCODE$Guest$INSTALL$KEYNAME$MELT$MSGCORE$MSGICON$MSGTITLE$MULTIBIND$MULTIPLUGS$MUTEX$NETDATA$OVDNS$PDNS$PERS$PERSINST$PLUGS$SH1$SH10$SH3$SH4$SH5$SH6$SH7$SH8$SH9$SID$attrib "$notepad$open
API String ID: 621504876-1976595610
Opcode ID: 0e79757b0a7dfb45aaa11cab1035a09f85487e362f4865be0c41c2db2fad014a
Instruction ID: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e
Opcode Fuzzy Hash: E7D126435B9AD76992606FA07C1A2C601D55A8617AE8A27F2CB7D347F4EF03401BFB1C
Instruction Fuzzy Hash: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e

APIs

Part of subcall function 0048B724: GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048FD52
CopyFileA.KERNEL32(00000000,00000000,?), ref: 0048FE2F

Part of subcall function 00485150: RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
Part of subcall function 00485150: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
Part of subcall function 00485150: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Part of subcall function 0048C308: CloseHandle.KERNEL32(?), ref: 0048C390

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0048FF7A

Part of subcall function 004729DC: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472B0D,?,?,00000000,?,00000000,00000000,00472BD6,?,00000000,00472C12), ref: 00472AFE

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00490298

Part of subcall function 00472924: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00472969,?,?,?,?,00490051), ref: 0047294E

Sleep.KERNEL32(000003E8), ref: 004902A2

Part of subcall function 00472974: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004729D0), ref: 004729B0

Part of subcall function 0046D36C: ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Sleep.KERNEL32(000001F4), ref: 004901DD
ExitProcess.KERNEL32(00000000,000003E8), ref: 004902A9

Part of subcall function 00474F80: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

CreateThread.KERNEL32(00000000,00000000,0048E340,00000000,00000000,00499F94), ref: 004902E3
CreateThread.KERNEL32(00000000,00000000,0048E29C,00000000,00000000,00499F94), ref: 0049031D
SetLastError.KERNEL32(00000000,?,00490710,?), ref: 0049046F

Part of subcall function 00407978: CreateMutexA.KERNEL32(?,?,?,?,0049048A,00000000,00000000,00000000,00000000,?,00490710,?), ref: 0040798E

GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,00490710,?), ref: 0049048A
ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00490710,?), ref: 00490498
Sleep.KERNEL32(000001F4,00000000,00000000,00000000,00000000,?,00490710,?), ref: 004904EB

Part of subcall function 004754C4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 0047EAEC: CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
Part of subcall function 0047EAEC: TranslateMessage.USER32(00499F5C), ref: 0047ECAD
Part of subcall function 0047EAEC: DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
Part of subcall function 0047EAEC: GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473C8E
Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473CD8

Part of subcall function 0048C5D0: EnumResourceNamesA.KERNEL32(00000000,DPLUG,0048C494,00000000), ref: 0048C5F2

Part of subcall function 0048BEE4: EnumResourceNamesA.KERNEL32(00000000,DBIND,0048BDD4,00000000), ref: 0048BF06

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Strings

CHIDEF, xrefs: 004900A1
SH7, xrefs: 004903D7
DIRATTRIB, xrefs: 00490057
" +s +h, xrefs: 004900D5, 00490191
,xI, xrefs: 0048FC6C
MULTIBIND, xrefs: 004904A3
SH8, xrefs: 004903FE
MULTIPLUGS, xrefs: 004904F6
FAKEMSG, xrefs: 0048FEF7
SH4, xrefs: 00490354
PLUGS, xrefs: 004901E8, 00490518
COMBOPATH, xrefs: 0048FB0F
NETDATA, xrefs: 0048FA28
AI, xrefs: 0048FADA, 0048FAEC, 00490474, 004905E5, 00490614
PERSINST, xrefs: 004902B4
Guest, xrefs: 0048FAA4
at , xrefs: 0048FC84
MSGCORE, xrefs: 0048FF51
open, xrefs: 00490291
SH9, xrefs: 00490425
CHANGEDATE, xrefs: 0048FEB3
MELT, xrefs: 00490245
SH5, xrefs: 00490380
OVDNS, xrefs: 0048FFAF
GENCODE, xrefs: 0048FB35, 0048FD65, 00490566
SH1, xrefs: 004902EE
attrib ", xrefs: 004900BD, 0049014E
SH3, xrefs: 00490328
MUTEX, xrefs: 0048FAB1
SH10, xrefs: 0049044C
MSGTITLE, xrefs: 0048FF35
FILEATTRIB, xrefs: 0049000D
CHIDED, xrefs: 004900FB
notepad, xrefs: 00490274, 004905F5, 0049061C
EDTPATH, xrefs: 0048FAFE
SID, xrefs: 0048FA64
BIND, xrefs: 004901B7, 004904C5
PERS, xrefs: 004905C0
MSGICON, xrefs: 0048FF19
SH6, xrefs: 004903B0
DCMUTEX, xrefs: 0048FAF1
KEYNAME, xrefs: 0048FE84
INSTALL, xrefs: 0048FCCC, 00490223
PDNS, xrefs: 0048FF85, 0048FFD1, 0048FFF0
EDTDATE, xrefs: 0048FED5
FWB, xrefs: 0049053F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428418, Relevance: 4.6, APIs: 3, Instructions: 51 Total matches: 804fileclipboard

Similarity

Total matches: 804
API ID: CopyEnhMetaFileGetClipboardDataGetEnhMetaFileHeader
String ID:
API String ID: 3637528194-0
Opcode ID: cf07a757480d2ce5d096a9326dc18de80b49a66677c52fe9c372584e3e65ad5a
Instruction ID: 5f0a7913bcd66d343327936f43ba3591bee84e554d41b59289a5ac97c4a989bd
Opcode Fuzzy Hash: 5ED02BC2634CD551A4564A518DC38443704010D9799C4EBA4E3BA602E39D04B208BFAE
Instruction Fuzzy Hash: 5f0a7913bcd66d343327936f43ba3591bee84e554d41b59289a5ac97c4a989bd

APIs

GetClipboardData.USER32(0000000E), ref: 00428425
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00428447
GetEnhMetaFileHeader.GDI32(?,00000064,?), ref: 00428459

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: test.exe.exe Analysis ID: 40573

General

Root Process Name:	regdrv.exe
Process MD5:	0D5A48D9FDC26E038BAF3D507CAF4DD5
Total matches:	228
Initial Analysis Report:	Open
Initial sample Analysis ID:	40573
Initial sample SHA 256:	333B2CE2B84DCE43AFBDD265DD6105FE317D29F260FF2366F3CCB90D39B19BE6
Initial sample name:	test.ex.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048FA10, Relevance: 104.0, APIs: 13, Strings: 46, Instructions: 713 Total matches: 3sleepfilethread

Similarity

Total matches: 3
API ID: Sleep$CopyFileCreateThreadExitProcess$GetLastErrorMessageBoxSetLastErrorShellExecute
String ID: at $" +s +h$,xI$AI$BIND$CHANGEDATE$CHIDED$CHIDEF$COMBOPATH$DCMUTEX$DIRATTRIB$EDTDATE$EDTPATH$FAKEMSG$[.dll]$FWB$GENCODE$Guest$INSTALL$KEYNAME$MELT$MSGCORE$MSGICON$MSGTITLE$MULTIBIND$MULTIPLUGS$MUTEX$NETDATA$OVDNS$PDNS$PERS$PERSINST$PLUGS$SH1$SH10$SH3$SH4$SH5$SH6$SH7$SH8$SH9$SID$attrib "$notepad$open
API String ID: 621504876-1976595610
Opcode ID: 0e79757b0a7dfb45aaa11cab1035a09f85487e362f4865be0c41c2db2fad014a
Instruction ID: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e
Opcode Fuzzy Hash: E7D126435B9AD76992606FA07C1A2C601D55A8617AE8A27F2CB7D347F4EF03401BFB1C
Instruction Fuzzy Hash: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e

APIs

Part of subcall function 0048B724: GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048FD52
CopyFileA.KERNEL32(00000000,00000000,?), ref: 0048FE2F

Part of subcall function 00485150: RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
Part of subcall function 00485150: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
Part of subcall function 00485150: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Part of subcall function 0048C308: CloseHandle.KERNEL32(?), ref: 0048C390

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0048FF7A

Part of subcall function 004729DC: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472B0D,?,?,00000000,?,00000000,00000000,00472BD6,?,00000000,00472C12), ref: 00472AFE

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00490298

Part of subcall function 00472924: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00472969,?,?,?,?,00490051), ref: 0047294E

Sleep.KERNEL32(000003E8), ref: 004902A2

Part of subcall function 00472974: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004729D0), ref: 004729B0

Part of subcall function 0046D36C: ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Sleep.KERNEL32(000001F4), ref: 004901DD
ExitProcess.KERNEL32(00000000,000003E8), ref: 004902A9

Part of subcall function 00474F80: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

CreateThread.KERNEL32(00000000,00000000,0048E340,00000000,00000000,00499F94), ref: 004902E3
CreateThread.KERNEL32(00000000,00000000,0048E29C,00000000,00000000,00499F94), ref: 0049031D
SetLastError.KERNEL32(00000000,?,00490710,?), ref: 0049046F

Part of subcall function 00407978: CreateMutexA.KERNEL32(?,?,?,?,0049048A,00000000,00000000,00000000,00000000,?,00490710,?), ref: 0040798E

GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,00490710,?), ref: 0049048A
ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00490710,?), ref: 00490498
Sleep.KERNEL32(000001F4,00000000,00000000,00000000,00000000,?,00490710,?), ref: 004904EB

Part of subcall function 004754C4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 0047EAEC: CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
Part of subcall function 0047EAEC: TranslateMessage.USER32(00499F5C), ref: 0047ECAD
Part of subcall function 0047EAEC: DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
Part of subcall function 0047EAEC: GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473C8E
Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473CD8

Part of subcall function 0048C5D0: EnumResourceNamesA.KERNEL32(00000000,DPLUG,0048C494,00000000), ref: 0048C5F2

Part of subcall function 0048BEE4: EnumResourceNamesA.KERNEL32(00000000,DBIND,0048BDD4,00000000), ref: 0048BF06

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Strings

CHIDEF, xrefs: 004900A1
SH7, xrefs: 004903D7
DIRATTRIB, xrefs: 00490057
" +s +h, xrefs: 004900D5, 00490191
,xI, xrefs: 0048FC6C
MULTIBIND, xrefs: 004904A3
SH8, xrefs: 004903FE
MULTIPLUGS, xrefs: 004904F6
FAKEMSG, xrefs: 0048FEF7
SH4, xrefs: 00490354
PLUGS, xrefs: 004901E8, 00490518
COMBOPATH, xrefs: 0048FB0F
NETDATA, xrefs: 0048FA28
AI, xrefs: 0048FADA, 0048FAEC, 00490474, 004905E5, 00490614
PERSINST, xrefs: 004902B4
Guest, xrefs: 0048FAA4
at , xrefs: 0048FC84
MSGCORE, xrefs: 0048FF51
open, xrefs: 00490291
SH9, xrefs: 00490425
CHANGEDATE, xrefs: 0048FEB3
MELT, xrefs: 00490245
SH5, xrefs: 00490380
OVDNS, xrefs: 0048FFAF
GENCODE, xrefs: 0048FB35, 0048FD65, 00490566
SH1, xrefs: 004902EE
attrib ", xrefs: 004900BD, 0049014E
SH3, xrefs: 00490328
MUTEX, xrefs: 0048FAB1
SH10, xrefs: 0049044C
MSGTITLE, xrefs: 0048FF35
FILEATTRIB, xrefs: 0049000D
CHIDED, xrefs: 004900FB
notepad, xrefs: 00490274, 004905F5, 0049061C
EDTPATH, xrefs: 0048FAFE
SID, xrefs: 0048FA64
BIND, xrefs: 004901B7, 004904C5
PERS, xrefs: 004905C0
MSGICON, xrefs: 0048FF19
SH6, xrefs: 004903B0
DCMUTEX, xrefs: 0048FAF1
KEYNAME, xrefs: 0048FE84
INSTALL, xrefs: 0048FCCC, 00490223
PDNS, xrefs: 0048FF85, 0048FFD1, 0048FFF0
EDTDATE, xrefs: 0048FED5
FWB, xrefs: 0049053F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: neh.exe Analysis ID: 40545

General

Root Process Name:	regdrv.exe
Process MD5:	264D0D08069B26210AD2261C1E37CCF2
Total matches:	228
Initial Analysis Report:	Open
Initial sample Analysis ID:	40545
Initial sample SHA 256:	25E9F71272AD2AFD08692D6F248BB18CA6F73A6F342B65B1F5F3B1D9E91F9CD4
Initial sample name:	BinderFile.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048FA10, Relevance: 104.0, APIs: 13, Strings: 46, Instructions: 713 Total matches: 3sleepfilethread

Similarity

Total matches: 3
API ID: Sleep$CopyFileCreateThreadExitProcess$GetLastErrorMessageBoxSetLastErrorShellExecute
String ID: at $" +s +h$,xI$AI$BIND$CHANGEDATE$CHIDED$CHIDEF$COMBOPATH$DCMUTEX$DIRATTRIB$EDTDATE$EDTPATH$FAKEMSG$[.dll]$FWB$GENCODE$Guest$INSTALL$KEYNAME$MELT$MSGCORE$MSGICON$MSGTITLE$MULTIBIND$MULTIPLUGS$MUTEX$NETDATA$OVDNS$PDNS$PERS$PERSINST$PLUGS$SH1$SH10$SH3$SH4$SH5$SH6$SH7$SH8$SH9$SID$attrib "$notepad$open
API String ID: 621504876-1976595610
Opcode ID: 0e79757b0a7dfb45aaa11cab1035a09f85487e362f4865be0c41c2db2fad014a
Instruction ID: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e
Opcode Fuzzy Hash: E7D126435B9AD76992606FA07C1A2C601D55A8617AE8A27F2CB7D347F4EF03401BFB1C
Instruction Fuzzy Hash: c80a01dfbaa6738da9283e71bb193ee20a44e75cd7a9a95f81cee2a081a2619e

APIs

Part of subcall function 0048B724: GetCurrentHwProfileA.ADVAPI32(?), ref: 0048B776

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0048FD52
CopyFileA.KERNEL32(00000000,00000000,?), ref: 0048FE2F

Part of subcall function 00485150: RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
Part of subcall function 00485150: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
Part of subcall function 00485150: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Part of subcall function 0048C308: CloseHandle.KERNEL32(?), ref: 0048C390

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0048FF7A

Part of subcall function 004729DC: SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472B0D,?,?,00000000,?,00000000,00000000,00472BD6,?,00000000,00472C12), ref: 00472AFE

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00490298

Part of subcall function 00472924: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00472969,?,?,?,?,00490051), ref: 0047294E

Sleep.KERNEL32(000003E8), ref: 004902A2

Part of subcall function 00472974: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004729D0), ref: 004729B0

Part of subcall function 0046D36C: ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Sleep.KERNEL32(000001F4), ref: 004901DD
ExitProcess.KERNEL32(00000000,000003E8), ref: 004902A9

Part of subcall function 00474F80: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
Part of subcall function 00474F80: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
Part of subcall function 00474F80: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

CreateThread.KERNEL32(00000000,00000000,0048E340,00000000,00000000,00499F94), ref: 004902E3
CreateThread.KERNEL32(00000000,00000000,0048E29C,00000000,00000000,00499F94), ref: 0049031D
SetLastError.KERNEL32(00000000,?,00490710,?), ref: 0049046F

Part of subcall function 00407978: CreateMutexA.KERNEL32(?,?,?,?,0049048A,00000000,00000000,00000000,00000000,?,00490710,?), ref: 0040798E

GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,00490710,?), ref: 0049048A
ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00490710,?), ref: 00490498
Sleep.KERNEL32(000001F4,00000000,00000000,00000000,00000000,?,00490710,?), ref: 004904EB

Part of subcall function 004754C4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
Part of subcall function 004754C4: GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
Part of subcall function 004754C4: GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 0047EAEC: CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
Part of subcall function 0047EAEC: TranslateMessage.USER32(00499F5C), ref: 0047ECAD
Part of subcall function 0047EAEC: DispatchMessageA.USER32(00499F5C), ref: 0047ECB3
Part of subcall function 0047EAEC: GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473C8E
Part of subcall function 00473C24: ExitProcess.KERNEL32(00000000,00000000,00473CF8,?,?,00000000,00000000,00000000,?,00490560,00000000,00000000,00000000,00000000,?,00490710), ref: 00473CD8

Part of subcall function 0048C5D0: EnumResourceNamesA.KERNEL32(00000000,DPLUG,0048C494,00000000), ref: 0048C5F2

Part of subcall function 0048BEE4: EnumResourceNamesA.KERNEL32(00000000,DBIND,0048BDD4,00000000), ref: 0048BF06

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Strings

CHIDEF, xrefs: 004900A1
SH7, xrefs: 004903D7
DIRATTRIB, xrefs: 00490057
" +s +h, xrefs: 004900D5, 00490191
,xI, xrefs: 0048FC6C
MULTIBIND, xrefs: 004904A3
SH8, xrefs: 004903FE
MULTIPLUGS, xrefs: 004904F6
FAKEMSG, xrefs: 0048FEF7
SH4, xrefs: 00490354
PLUGS, xrefs: 004901E8, 00490518
COMBOPATH, xrefs: 0048FB0F
NETDATA, xrefs: 0048FA28
AI, xrefs: 0048FADA, 0048FAEC, 00490474, 004905E5, 00490614
PERSINST, xrefs: 004902B4
Guest, xrefs: 0048FAA4
at , xrefs: 0048FC84
MSGCORE, xrefs: 0048FF51
open, xrefs: 00490291
SH9, xrefs: 00490425
CHANGEDATE, xrefs: 0048FEB3
MELT, xrefs: 00490245
SH5, xrefs: 00490380
OVDNS, xrefs: 0048FFAF
GENCODE, xrefs: 0048FB35, 0048FD65, 00490566
SH1, xrefs: 004902EE
attrib ", xrefs: 004900BD, 0049014E
SH3, xrefs: 00490328
MUTEX, xrefs: 0048FAB1
SH10, xrefs: 0049044C
MSGTITLE, xrefs: 0048FF35
FILEATTRIB, xrefs: 0049000D
CHIDED, xrefs: 004900FB
notepad, xrefs: 00490274, 004905F5, 0049061C
EDTPATH, xrefs: 0048FAFE
SID, xrefs: 0048FA64
BIND, xrefs: 004901B7, 004904C5
PERS, xrefs: 004905C0
MSGICON, xrefs: 0048FF19
SH6, xrefs: 004903B0
DCMUTEX, xrefs: 0048FAF1
KEYNAME, xrefs: 0048FE84
INSTALL, xrefs: 0048FCCC, 00490223
PDNS, xrefs: 0048FF85, 0048FFD1, 0048FFF0
EDTDATE, xrefs: 0048FED5
FWB, xrefs: 0049053F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: New Purchase Order No.0567.exe Analysis ID: 64048

General

Root Process Name:	regdrv.exe
Process MD5:	76E104EBA0BB25DA3B345C6F351BAF42
Total matches:	226
Initial Analysis Report:	Open
Initial sample Analysis ID:	64048
Initial sample SHA 256:	8D88DAFBDE4072958A6B433F70F0131D88D8579B0A43EEADCB50B8E006ED8116
Initial sample name:	New Purchase Order No.056.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: darkcomet.exe Analysis ID: 41363

General

Root Process Name:	regdrv.exe
Process MD5:	5A790B57A083A6B0FDDC5BACBBBD95DE
Total matches:	226
Initial Analysis Report:	Open
Initial sample Analysis ID:	41363
Initial sample SHA 256:	3C9E853D9D3924C45DD8C5CB92F002422E6151FAE739E53DB26C4945D4463876
Initial sample name:	darkcomet.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: darkcomet-irixo-final.exe Analysis ID: 58113

General

Root Process Name:	regdrv.exe
Process MD5:	34960F869AA933675A70C0C7C17ADDFE
Total matches:	224
Initial Analysis Report:	Open
Initial sample Analysis ID:	58113
Initial sample SHA 256:	9343339FADFE0F62D6FD46C6131ED9FDF01978D817192984E69A8BBECFB406D2
Initial sample name:	darkcomet-irixo-final.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: hmGCd1FvDh.exe Analysis ID: 39043

General

Root Process Name:	regdrv.exe
Process MD5:	87265F45CFC51559590AF14E011970C2
Total matches:	199
Initial Analysis Report:	Open
Initial sample Analysis ID:	39043
Initial sample SHA 256:	CA70E2A04F480AD962886CCAB3957268850C2F92409747DE4CC42823E1CB926E
Initial sample name:	hmGCd1FvDh.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 3Y8FRVDR9S.exe Analysis ID: 39044

General

Root Process Name:	regdrv.exe
Process MD5:	7A4414974509912787972A84BF88FD4F
Total matches:	199
Initial Analysis Report:	Open
Initial sample Analysis ID:	39044
Initial sample SHA 256:	CF307321292079529C4036764CA66DF7B56957188812C186D5F7041D176D38A0
Initial sample name:	3Y8FRVDR9S.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: k0uVX1KM6P.exe Analysis ID: 39047

General

Root Process Name:	regdrv.exe
Process MD5:	77093B72A28802C0D03D46469FCBE972
Total matches:	199
Initial Analysis Report:	Open
Initial sample Analysis ID:	39047
Initial sample SHA 256:	DA1BBDFE3A0F83CC02963F6661B112A1D2B1BE6876901EDCAE46E66B9EE13878
Initial sample name:	k0uVX1KM6P.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: G8Yxrw4J7t.exe Analysis ID: 39275

General

Root Process Name:	regdrv.exe
Process MD5:	1F09E66A3F0B82E5A8BA7BB412D30975
Total matches:	199
Initial Analysis Report:	Open
Initial sample Analysis ID:	39275
Initial sample SHA 256:	DD3AE4523EFCCCE6040559813062CC3312360A687D8C1E944E9637DDC46D1936
Initial sample name:	G8Yxrw4J7t.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: window-on-top.tmp Analysis ID: 70878

General

Root Process Name:	regdrv.exe
Process MD5:	90FC739C83CD19766ACB562C66A7D0E2
Total matches:	182
Initial Analysis Report:	Open
Initial sample Analysis ID:	70878
Initial sample SHA 256:	234942ED1DC29A6A4FBEED97E3967DF28C774B6FB6CA49CC1C51AB03EE3FADEF
Initial sample name:	crestron_usbdriver_w10_module_2.01.527.exe

Similar Executed Functions

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: msdcsc.exe Analysis ID: 40545

General

Root Process Name:	regdrv.exe
Process MD5:	264D0D08069B26210AD2261C1E37CCF2
Total matches:	179
Initial Analysis Report:	Open
Initial sample Analysis ID:	40545
Initial sample SHA 256:	25E9F71272AD2AFD08692D6F248BB18CA6F73A6F342B65B1F5F3B1D9E91F9CD4
Initial sample name:	BinderFile.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00475E2C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51 Total matches: 7network

Similarity

Total matches: 7
API ID: send
String ID: AI
API String ID: 2809346765-2814088591
Opcode ID: 868ad7ac68dacb7c8c4160927bbae46afa974d2bcec77bad21f6f3dd38f5bacb
Instruction ID: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f
Opcode Fuzzy Hash: 47D0C246096AC96BA413E890396335B2097FB40259D802B700B102F0978E05601BAE83
Instruction Fuzzy Hash: 18704ec08ed0309c1d2906dc748e140c54c21f2532b483477e06f3f57a53c56f

APIs

send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

AI, xrefs: 00475E55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004556F4, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353 Total matches: 9

Similarity

Total matches: 9
API ID: DefWindowProcGetCaptureSetWindowPos_TrackMouseEvent
String ID: zC
API String ID: 1140357208-2078053289
Opcode ID: 4b88ffa7e8dc9e0fc55dcf7c85635e39fbe2c17a2618d5290024c367d42a558d
Instruction ID: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d
Opcode Fuzzy Hash: B2513154458FA692E4B3E0417AA3BD27026F7D178AC84EF3027D9224DB7F15B217AB07
Instruction Fuzzy Hash: b57778f77ef7841f174bad60fd8f5a19220f360e114fd8f1822aba38cb5d359d

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF

Part of subcall function 0044D640: GetCapture.USER32 ref: 0044D640

_TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D

Part of subcall function 00455640: GetCapture.USER32 ref: 00455653

Part of subcall function 004554F4: GetMessagePos.USER32 ref: 00455503
Part of subcall function 004554F4: GetKeyboardState.USER32(?), ref: 00455600

GetCapture.USER32 ref: 00455B5A

Part of subcall function 00451C28: GetKeyboardState.USER32(?), ref: 00451E90

Strings

zC, xrefs: 0045594E, 0045596C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004878A4, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 11memorythread

Similarity

Total matches: 11
API ID: CloseHandleCreateThreadEnterCriticalSectionLeaveCriticalSectionLocalAlloc
String ID:
API String ID: 3024079611-0
Opcode ID: 4dd964c7e1c4b679be799535e5517f4cba33e810e34606c0a9d5c033aa3fe8c9
Instruction ID: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147
Opcode Fuzzy Hash: 7E01288913DAD457BD6068883C86EE705A95BA2508E0C67B34F2E392834F1A5125F283
Instruction Fuzzy Hash: efb3d4a77ffd09126bc7d7eb87c1fe64908b5695ecb93dc64bf5137c0ac50147

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487A08), ref: 004878F3

Part of subcall function 00487318: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487347
Part of subcall function 00487318: LeaveCriticalSection.KERNEL32(0049C3A8,0048744D,00487468,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00487440

LocalAlloc.KERNEL32(00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 0048795A
CreateThread.KERNEL32(00000000,00000000,Function_00086E2C,00000000,00000000,?), ref: 004879AE
CloseHandle.KERNEL32(00000000), ref: 004879B4
LeaveCriticalSection.KERNEL32(0049C3A8,004879D8,Function_00086E2C,00000000,00000000,?,00000040,00000010,?,0049C3A8,00000000,00487A08), ref: 004879CB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: msdcsc.exe Analysis ID: 40573

General

Root Process Name:	regdrv.exe
Process MD5:	0D5A48D9FDC26E038BAF3D507CAF4DD5
Total matches:	164
Initial Analysis Report:	Open
Initial sample Analysis ID:	40573
Initial sample SHA 256:	333B2CE2B84DCE43AFBDD265DD6105FE317D29F260FF2366F3CCB90D39B19BE6
Initial sample name:	test.ex.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486918, Relevance: 40.8, APIs: 27, Instructions: 343 Total matches: 14networksleep

Similarity

Total matches: 14
API ID: send$recv$closesocket$Sleepconnectgethostbynamegetsocknamentohsselectsocket
String ID:
API String ID: 2478304679-0
Opcode ID: 4d87a5330adf901161e92fb1ca319a93a9e59af002049e08fc24e9f18237b9f5
Instruction ID: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742
Opcode Fuzzy Hash: 8F5159466792D79EF5A21F00640279192F68B03F25F05DB72D63A393D8CEC4009EBF08
Instruction Fuzzy Hash: e3ab2fee1e4498134b0ab76971bb2098cdaeb743d0e54aa66642cb2787f17742

APIs

recv.WSOCK32(?,?,00000002,00000002,00000000,00486E16), ref: 00486971
recv.WSOCK32(?,00000005,?,00000000), ref: 004869A0
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 004869EE
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A0B
recv.WSOCK32(?,?,00000259,00000000,?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486A1F
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486A9E
send.WSOCK32(?,00000001,00000002,00000000), ref: 00486ABB
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486AE8
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B02
send.WSOCK32(?,00000005,00000002,00000000,?,00000005,?,00000000), ref: 00486B2B
recv.WSOCK32(?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B41
recv.WSOCK32(?,?,0000000C,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486B7C
recv.WSOCK32(?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BD9
gethostbyname.WSOCK32(00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486BFF
ntohs.WSOCK32(?,00000000,?,?,?,00000000,?,?,0000000C,00000002,?,00000005,?,00000000), ref: 00486C29
socket.WSOCK32(00000002,00000001,00000000), ref: 00486C44
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486C55
getsockname.WSOCK32(00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CA8
send.WSOCK32(?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002,00000001,00000000), ref: 00486CDD
select.WSOCK32(00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010,00000002), ref: 00486D1D
Sleep.KERNEL32(00000096,00000000,?,00000000,00000000,00000000,?,00000005,0000000A,00000000,00000000,?,00000010,00000000,00000002,00000010), ref: 00486DCA

Part of subcall function 00408710: __WSAFDIsSet.WSOCK32(00000000,?,00000000,?,00486D36,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000), ref: 00408718

recv.WSOCK32(00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486D5B
send.WSOCK32(?,?,00000000,00000000,00000000,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486D72
recv.WSOCK32(?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?,00000000,00000000,00000000,?), ref: 00486DA9
send.WSOCK32(00000000,?,00000000,00000000,?,?,00001000,00000000,00000000,?,00000000,00000000,00000000,00000096,00000000,?), ref: 00486DC0
closesocket.WSOCK32(?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE2
closesocket.WSOCK32(?,?,?,?,00000002,00000002,00000000,00486E16), ref: 00486DE8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048E06C, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 175 Total matches: 10windowmemorythread

Similarity

Total matches: 10
API ID: SendMessage$FindWindowEx$CloseHandleFindWindowGetWindowThreadProcessIdOpenProcessReadProcessMemoryVirtualAllocVirtualAllocExVirtualFreeVirtualFreeExWriteProcessMemory
String ID: #32770$SysListView32$d"H
API String ID: 3780048337-1380996120
Opcode ID: b683118a55e5ed65f15da96e40864f63eed112dcb30155d6a8038ec0cc94ce3d
Instruction ID: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242
Opcode Fuzzy Hash: AB11504A0B9C9567E83768442C43BDB1581FB13E89EB1BB93E2743758ADE811069FA43
Instruction Fuzzy Hash: 921cf0fa770e2b86772df7590f9e2c4dc5a1ffd61c2349c0eb9e10af82608242

APIs

Part of subcall function 0048DFF0: GetForegroundWindow.USER32 ref: 0048E00F
Part of subcall function 0048DFF0: GetWindowTextLengthA.USER32(00000000), ref: 0048E01B
Part of subcall function 0048DFF0: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048E038

FindWindowA.USER32(#32770,00000000), ref: 0048E0C3
FindWindowExA.USER32(?,00000000,#32770,00000000), ref: 0048E0D8
FindWindowExA.USER32(?,00000000,SysListView32,00000000), ref: 0048E0ED
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0048E102
VirtualAlloc.KERNEL32(00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273,?,?,?,?), ref: 0048E12A
GetWindowThreadProcessId.USER32(?,?), ref: 0048E139
OpenProcess.KERNEL32(00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000,00000000,0048E273), ref: 0048E146
VirtualAllocEx.KERNEL32(00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000,00000004,?,00000000,SysListView32,00000000), ref: 0048E158
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,00000000,00000000,0000012C,00003000,00000004,00000038,00000000,?,00000000,0000012C,00003000), ref: 0048E18A
SendMessageA.USER32(d"H,0000102D,00000000,00000000), ref: 0048E19D
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000,00000000,00000000,00000000,00000400,?,00000000,00000000), ref: 0048E1AE
SendMessageA.USER32(d"H,00001008,00000000,00000000), ref: 0048E219
VirtualFree.KERNEL32(00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?,d"H,0000102D,00000000,00000000), ref: 0048E226
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00008000,d"H,00001008,00000000,00000000,00000000,00000000,00000000,00000400,?), ref: 0048E234
CloseHandle.KERNEL32(00000000), ref: 0048E23A

Strings

SysListView32, xrefs: 0048E0E2
d"H, xrefs: 0048E199, 0048E215, 0048E19C, 0048E218
#32770, xrefs: 0048E0BE, 0048E0CD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048851C, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 302 Total matches: 13network

Similarity

Total matches: 13
API ID: recv$closesocketconnectgethostbynameinet_addrmouse_eventntohsshutdownsocket
String ID: CONTROLIO$XLEFT$XMID$XRIGHT$XWHEEL
API String ID: 1694935655-1300867655
Opcode ID: 3d8ebbc3997d8a2a290d7fc83b0cdb9b95b23bbbcb8ad76760d2b66ee4a9946d
Instruction ID: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c
Opcode Fuzzy Hash: C7410B051B8DD63BF4337E001883B422661FF02A24DC5ABD1ABB6766E75F40641EB74B
Instruction Fuzzy Hash: 7e2e77316238cb3891ff65c9dc595f4b15bca55cd02a53a070d44cee5d55110c

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00488943), ref: 00488581
ntohs.WSOCK32(00000774), ref: 004885A7
inet_addr.WSOCK32(015EAA88,00000774), ref: 004885BB
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004885D3
connect.WSOCK32(?,00000002,00000010,015EAA88,00000774), ref: 004885FD
recv.WSOCK32(?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488617

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88,00000774), ref: 00488670
recv.WSOCK32(?,?,00002000,00000000,?,?,00002000,00000000,?,?,00002000,00000000,?,00000002,00000010,015EAA88), ref: 004886B7
mouse_event.USER32(00000800,00000000,00000000,00000000,00000000), ref: 00488743

Part of subcall function 00488F80: SetCursorPos.USER32(00000000,00000000), ref: 004890E0
Part of subcall function 00488F80: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004890FB
Part of subcall function 00488F80: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0048910A
Part of subcall function 00488F80: mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 0048911B
Part of subcall function 00488F80: mouse_event.USER32(00000010,00000000,00000000,00000000,00000000), ref: 0048912A
Part of subcall function 00488F80: mouse_event.USER32(00000020,00000000,00000000,00000000,00000000), ref: 0048913B
Part of subcall function 00488F80: mouse_event.USER32(00000040,00000000,00000000,00000000,00000000), ref: 0048914A

shutdown.WSOCK32(?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488907
closesocket.WSOCK32(?,?,00000002,00000002,00000001,00000000,00000000,00488943), ref: 00488913

Strings

XLEFT, xrefs: 004887C6
CONTROLIO, xrefs: 00488640
XRIGHT, xrefs: 0048882E
XMID, xrefs: 00488896
XWHEEL, xrefs: 00488701

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048317C, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 191 Total matches: 13networkthread

Similarity

Total matches: 13
API ID: ExitThreadrecv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 321019756-425132630
Opcode ID: b7a2c89509495347fc3323384a94636a93f503423a5dcd762de1341b7d40447e
Instruction ID: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd
Opcode Fuzzy Hash: 4B214D4107AAD97AE4702A443881BA224165F535ADFD48B7147343F7D79E43205DFA4E
Instruction Fuzzy Hash: d3bdd4e47b343d3b4fa6119c5e41daebd5c6236719acedab40bdc5f8245a3ecd

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483247
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,004833A9,?,00000000,0048340F), ref: 00483257
ntohs.WSOCK32(00000774), ref: 0048326E
inet_addr.WSOCK32(015EAA88,00000774), ref: 00483282
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0048329A
ExitThread.KERNEL32(00000000,015EAA88,015EAA88,00000774), ref: 004832A7
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004832C6
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004832D7
ExitThread.KERNEL32(00000000,000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048339A

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00000400,00000000,?,00483440,?,DATAFLUX,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88), ref: 0048331D
send.WSOCK32(000000FF,?,00000000,00000000), ref: 0048335C
recv.WSOCK32(000000FF,?,00000400,00000000,000000FF,?,00000000,00000000), ref: 00483370
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00483382
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00000400,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0048338B

Strings

AI, xrefs: 00483218
DATAFLUX, xrefs: 004832E3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486E2C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178 Total matches: 14networkthreadsleep

Similarity

Total matches: 14
API ID: CloseHandleCreateThreadExitThreadLocalAllocSleepacceptbindlistenntohssocket
String ID: ERR|Cannot listen to port, try another one..|$ERR|Socket error..|$OK|Successfully started..|
API String ID: 2137491959-3262568804
Opcode ID: 90fb1963c21165c4396d73d063bf7afe9f22d057a02fd569e7e66b2d14a70f73
Instruction ID: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6
Opcode Fuzzy Hash: 9011D50257DC549BD5E7ACC83887FA611625F83E8CEC8BB06AB9A3B2C10E555028B652
Instruction Fuzzy Hash: 0fda09cc725898a8dcbc65afb209be10fac5e25cc35172c883d426d9189e88b6

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000,00487046), ref: 00486E87
ntohs.WSOCK32(?,00000002,00000001,00000006,00000000,00487046), ref: 00486EA8
bind.WSOCK32(00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486EBD
listen.WSOCK32(00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00486ECD

Part of subcall function 004870D4: EnterCriticalSection.KERNEL32(0049C3A8,00000000,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 00487110
Part of subcall function 004870D4: LeaveCriticalSection.KERNEL32(0049C3A8,004872E1,004872FC,?,?,00000000,?,00000003,00000000,00000000,?,00486F27,00000000,?,?,00000000), ref: 004872D4

accept.WSOCK32(00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002,00000001,00000006), ref: 00486F37
LocalAlloc.KERNEL32(00000040,00000010,00000000,?,00000010,00000000,?,?,00000000,00000000,00000005,00000000,00000002,00000010,?,00000002), ref: 00486F49
CreateThread.KERNEL32(00000000,00000000,Function_00086918,00000000,00000000,?), ref: 00486F83
CloseHandle.KERNEL32(00000000), ref: 00486F89
Sleep.KERNEL32(00000064,00000000,00000000,00000000,Function_00086918,00000000,00000000,?,00000040,00000010,00000000,?,00000010,00000000,?,?), ref: 00486FD0

Part of subcall function 00487488: EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
Part of subcall function 00487488: closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
Part of subcall function 00487488: LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000010,?,00000002,00000001,00000006,00000000,00487046), ref: 00487018

Strings

ERR|Socket error..|, xrefs: 00486FA4
OK|Successfully started..|, xrefs: 00486EEF
ERR|Cannot listen to port, try another one..|, xrefs: 00486FEE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474D58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57 Total matches: 14memoryinjection

Similarity

Total matches: 14
API ID: VirtualAllocExWriteProcessMemory
String ID: DCPERSFWBP$[FILE]
API String ID: 1899012086-3297815924
Opcode ID: 423b64deca3bc68d45fc180ef4fe9512244710ab636da43375ed106f5e876429
Instruction ID: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5
Opcode Fuzzy Hash: 4BD02B4149BDE17FF94C78C4A85678341A7D3173DCE802F51462633086CD94147EFCA2
Instruction Fuzzy Hash: 67bfdac44fec7567ab954589a4a4ae8848f6352de5e33de26bc6a5b7174d46b5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

Strings

DCPERSFWBP, xrefs: 00474D63
kernel32.dll, xrefs: 00474DBB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465A0C, Relevance: 21.2, APIs: 6, Strings: 8, Instructions: 232 Total matches: 70memory

Similarity

Total matches: 70
API ID: VirtualAlloc$GetProcessHeapHeapAlloc
String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
API String ID: 2488116186-3631919656
Opcode ID: 3af931fd5e956d794d4d8b2d9451c0c23910b02d2e1f96ee73557f06256af9ed
Instruction ID: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b
Opcode Fuzzy Hash: C92170831B68E1B7FD6411983983F62168EE747E64EC5A7700375391DB6B09408DEB4E
Instruction Fuzzy Hash: 5201b0f892773e34eb121d15694a5594f27085db04a31d88d5a3aa16cfd2fb7b

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004), ref: 00465AC1
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,00002000,00000004), ref: 00465ADC
GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000004), ref: 00465B07
HeapAlloc.KERNEL32(00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B0D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000000,?,00001000,00000004,00000000,00000000,00000011,?,?,00002000,00000004), ref: 00465B55

Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00465410
Part of subcall function 004653A8: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 0046545B

Part of subcall function 00465598: LoadLibraryA.KERNEL32(00000000), ref: 00465607
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 00465737
Part of subcall function 00465598: GetProcAddress.KERNEL32(?,?), ref: 0046576B
Part of subcall function 00465598: IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Part of subcall function 004658F4: VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
Part of subcall function 004658F4: VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Part of subcall function 00466038: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
Part of subcall function 00466038: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
Part of subcall function 00466038: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
Part of subcall function 00466038: HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Strings

BTMemoryLoadLibary: BuildImportTable failed, xrefs: 00465BD5
BTMemoryLoadLibary: Can't attach library, xrefs: 00465C5A
BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 00465A95
BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 00465AEC
PE, xrefs: 00465A84
BTMemoryLoadLibary: dll dos header is not valid, xrefs: 00465A4E
MZ, xrefs: 00465A41
BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 00465C28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448A94, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170 Total matches: 10window

Similarity

Total matches: 10
API ID: BitBltImageList_DrawExSetBkColorSetTextColor
String ID: 6B
API String ID: 2442363623-1343726390
Opcode ID: f3e76f340fad2a36508cc9c10341b5bdbc0f221426f742f3eb9c92a513530c20
Instruction ID: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d
Opcode Fuzzy Hash: 041108094568A31EE56978080947F3721865B07A61C4A77A03AF31B3DACD443147FB69
Instruction Fuzzy Hash: 7c37791f634a82759e4cc75f05e789a5555426b5a490053cb838fe875b53176d

APIs

ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00448AF3

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00448B94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448BE1
SetBkColor.GDI32(00000000,00000000), ref: 00448BE9
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C0E
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00448C2F
SetBkColor.GDI32(00000000,00000000), ref: 00448C37
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00448C5A

Part of subcall function 00448A6C: ImageList_GetBkColor.COMCTL32(00000000,?,00448ACD,00000000,?), ref: 00448A82

Strings

6B, xrefs: 00448B05

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483468, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118 Total matches: 10networkthread

Similarity

Total matches: 10
API ID: InternetCloseHandle$ExitThreadInternetOpenInternetOpenUrl
String ID: Times.$[.exe]$H4H$myappname
API String ID: 1533170427-2018508691
Opcode ID: 9bfd80528866c3fa2248181b1ccb48c134560f4eab1f6b9a7ba83a7f0698ff3d
Instruction ID: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53
Opcode Fuzzy Hash: 5201284087779767E0713A843C83BA64057AF53F79E88AB6006383B6C28D5E501EFE1E
Instruction Fuzzy Hash: 5d8c8af60e1396200864222ed7d4265ca944ca2bef987cfa67465281aeb1ae53

APIs

InternetOpenA.WININET(myappname,00000000,00000000,00000000,00000000), ref: 0048350C
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000000,00000000), ref: 00483537
InternetCloseHandle.WININET(00000000), ref: 0048353D
InternetCloseHandle.WININET(?), ref: 00483553

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000, Times.,?,?,00000000,00483684,?,BTRESULTVisit URL|finished to visit ,?,004835AC,?,myappname,00000000,00000000,00000000,00000000), ref: 0048359F

Strings

myappname, xrefs: 00483507
H4H, xrefs: 00483497, 0048361C
BTRESULTVisit URL|finished to visit , xrefs: 00483558
Times., xrefs: 0048357D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482B34, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84 Total matches: 10threadsleepmemory

Similarity

Total matches: 10
API ID: ExitThread$CreateThreadLocalAllocSleep
String ID: p)H
API String ID: 1498127831-2549212939
Opcode ID: 5fd7b773879454cb2e984670c3aa9a0c1db83b86d5d790d4145ccd7f391bc9b7
Instruction ID: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689
Opcode Fuzzy Hash: 65F02E8147579427749271893D807631168A88B349DC47B618A393E5C35D0EB119F7C6
Instruction Fuzzy Hash: 053b5e183048797674ca9cdb15cf17692ed61b26d4291f167cbfa930052dd689

APIs

ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BA4
LocalAlloc.KERNEL32(00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BAD
CreateThread.KERNEL32(00000000,00000000,Function_0008298C,00000000,00000000,?), ref: 00482BD6
Sleep.KERNEL32(00000064,00000000,00000000,Function_0008298C,00000000,00000000,?,00000040,00000008,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BDD
ExitThread.KERNEL32(00000000,00000000,00482BF9,?,00000000,00482C2E), ref: 00482BEA

Strings

p)H, xrefs: 00482B48, 00482C1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66 Total matches: 14network

Similarity

Total matches: 14
API ID: recvsend
String ID: EndReceive
API String ID: 740075404-1723565878
Opcode ID: 0642aeb2bf09005660d41f125a1d03baad4e76b78f36ec5b7dd5d239cf09d5cc
Instruction ID: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5
Opcode Fuzzy Hash: 4FE02B06133A455DE6270580341A3C7F947772B705E47D7F14FA4311DACA43322AE70B
Instruction Fuzzy Hash: 216cfea4cb83c20b808547ecb65d31b60c96cf6878345f9c489041ca4988cdb5

APIs

Part of subcall function 00466470: acmStreamConvert.MSACM32(?,00000108,00000000), ref: 004664AB
Part of subcall function 00466470: acmStreamReset.MSACM32(?,00000000,?,00000108,00000000), ref: 004664B9

send.WSOCK32(00000000,0049A3A0,00000000,00000000), ref: 004862AA
recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00000000,00000000), ref: 004862C1

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

Strings

EndReceive, xrefs: 004862CA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: svchost.exe Analysis ID: 24621

General

Root Process Name:	regdrv.exe
Process MD5:	54A47F6B5E09A77E61649109C6A08866
Total matches:	164
Initial Analysis Report:	Open
Initial sample Analysis ID:	24621
Initial sample SHA 256:	F2A71DD086937D2126DD541925729A8299D857CC9C4D010A8A86B400C6547702
Initial sample name:	Oiyykssl.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EE3C, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 210 Total matches: 14file

Similarity

Total matches: 14
API ID: ShellExecute$CopyFile$DeleteFilePlaySoundSetFileAttributes
String ID: .dcp$BATCH$EDITSVR$GENCODE$HOSTS$SOUND$UPANDEXEC$UPDATE$UPLOADEXEC$drivers\etc\hosts$open
API String ID: 313780579-486951257
Opcode ID: 44d22e170a376e2c3ac9494fe8a96a526e5340482cd9b2ca1a65bf3f31ad22f8
Instruction ID: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91
Opcode Fuzzy Hash: 482159C03AA5D247E11B38503C02FC671E1AB8B365C4E774182B9B32D6EF825029EF59
Instruction Fuzzy Hash: 609fd5320f3736894535b51981f95e3d4faf5b0f44a63c85dacee75dc97e5f91

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

Part of subcall function 00489C78: GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00489CB4

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059

Strings

UPANDEXEC, xrefs: 0047EF74
UPLOADEXEC, xrefs: 0047EE7E
BATCH, xrefs: 0047EEC3
drivers\etc\hosts, xrefs: 0047EFC3, 0047EFE6, 0047F017
GENCODE, xrefs: 0047F0A0
UPDATE, xrefs: 0047EF3E
open, xrefs: 0047EE99, 0047EF0A, 0047EF2A, 0047EF59, 0047EF8F
HOSTS, xrefs: 0047EFA3
.dcp, xrefs: 0047F0AD
SOUND, xrefs: 0047F040
EDITSVR, xrefs: 0047F063

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485954, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 236 Total matches: 15filewindow

Similarity

Total matches: 15
API ID: DeleteFile$BeepMessageBox
String ID: Error$SYSINFO$out.txt$systeminfo$tmp.txt
API String ID: 2513333429-345806071
Opcode ID: 175ef29eb0126f4faf8d8d995bdbdcdb5595b05f6195c7c08c0282fe984d4c47
Instruction ID: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64
Opcode Fuzzy Hash: 473108146FCD9607E0675C047D43BB622369F83488E8AB3736AB7321E95E12C007FE96
Instruction Fuzzy Hash: 39f7f17e1c987efdb7b4b5db2f739eec2f93dce701a473bbe0ca777f64945c64

APIs

Beep.KERNEL32(00000000,00000000,?,00000000,00485C82), ref: 00485C68

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

Part of subcall function 0048AB58: DeleteFileA.KERNEL32(00000000,00000000,0048ABE5,?,00000000,0048AC07), ref: 0048ABA5

Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
Part of subcall function 0048A8AC: CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
Part of subcall function 0048A8AC: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
Part of subcall function 0048A8AC: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA68
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA77
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA86
Part of subcall function 0048A8AC: CloseHandle.KERNEL32(00000000), ref: 0048AA95

DeleteFileA.KERNEL32(00000000,Error,00000000,00485C82), ref: 00485A63
DeleteFileA.KERNEL32(00000000,00000000,Error,00000000,00485C82), ref: 00485A92

Part of subcall function 00485888: LocalAlloc.KERNEL32(00000040,00000014,00000000,00485939), ref: 004858C3
Part of subcall function 00485888: CreateThread.KERNEL32(00000000,00000000,Function_0008317C,00000000,00000000,00499F94), ref: 00485913
Part of subcall function 00485888: CloseHandle.KERNEL32(00000000), ref: 00485919

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00485BE3

Strings

systeminfo, xrefs: 00485A14
tmp.txt, xrefs: 004859CA, 00485A07, 00485A79
Error, xrefs: 004859DE
SYSINFO, xrefs: 00485AAE
out.txt, xrefs: 004859AB, 004859EE, 00485A2A, 00485A4A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: Microupdate.exe Analysis ID: 64772

General

Root Process Name:	regdrv.exe
Process MD5:	8C5984AB2114A0C70FB9209E89B2F9FC
Total matches:	145
Initial Analysis Report:	Open
Initial sample Analysis ID:	64772
Initial sample SHA 256:	09952A6793BFD546528BF234A1AD58A9426ACCD29A8E9DD6EF7162EC86AB3607
Initial sample name:	Microupdate.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DD0C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51 Total matches: 15

Similarity

Total matches: 15
API ID: GlobalMemoryStatus
String ID: $%d%
API String ID: 1890195054-1553997471
Opcode ID: b93ee82e74eb3fdc7cf13e02b5efcaa0aef25b4b863b00f7ccdd0b9efdff76e6
Instruction ID: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d
Opcode Fuzzy Hash: 64D05BD70F99F457A5A1718E3452FA400956F036D9CC83BB349946E99F071F80ACF612
Instruction Fuzzy Hash: fe5533f6b2d125ff6ee6e2ff500c73019a28ed325643b914abb945f4eac8f20d

APIs

GlobalMemoryStatus.KERNEL32(00000020), ref: 0048DD44

Strings

%d%, xrefs: 0048DD5C
, xrefs: 0048DD39

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00466038, Relevance: 6.1, APIs: 4, Instructions: 80 Total matches: 74memory

Similarity

Total matches: 74
API ID: FreeLibraryGetProcessHeapHeapFreeVirtualFree
String ID:
API String ID: 3842653680-0
Opcode ID: 18c634abe08efcbefc55c9db1d620b030a08f63fe7277eb6ecf1dfb863243027
Instruction ID: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b
Opcode Fuzzy Hash: 05E06801058482C6E4EC38C40607F0867817F8B269D70AB2809F62E7F7C985A25D5E80
Instruction Fuzzy Hash: c74000fe1f08e302fb3e428a7eb38cba65dd626a731774cc3da5921c0d19fb8b

APIs

FreeLibrary.KERNEL32(00000000,?,?,00000000,?,00000000,00465C6C), ref: 004660A7
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000,00465C6C), ref: 004660D8
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000,00465C6C), ref: 004660E0
HeapFree.KERNEL32(00000000,00000000,?), ref: 004660E6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040DA34, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56 Total matches: 16filewindow

Similarity

Total matches: 16
API ID: GetStdHandleWriteFile$CharToOemLoadStringMessageBox
String ID: LPI
API String ID: 3807148645-863635926
Opcode ID: 539cd2763de28bf02588dbfeae931fa34031625c31423c558e1c96719d1f86e4
Instruction ID: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c
Opcode Fuzzy Hash: B1E09A464E3CA62353002E1070C6B892287EF4302E93833828A11787D74E3104E9A21C
Instruction Fuzzy Hash: 5b0ab8211e0f5c40d4b1780363d5c9b524eff0228eb78845b7b0cb7c9884c59c

APIs

Part of subcall function 0040D8AC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
Part of subcall function 0040D8AC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
Part of subcall function 0040D8AC: LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

CharToOemA.USER32(?,?), ref: 0040DA6B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DA88
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040DA8E
GetStdHandle.KERNEL32(000000F4,0040DAF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040E1ED,0040E312,0040FDD4,00000000,0040FF18), ref: 0040DAA3
WriteFile.KERNEL32(00000000,000000F4,0040DAF8,00000002,?), ref: 0040DAA9
LoadStringA.USER32(00000000,0000FFEE,?,00000040), ref: 0040DACB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040DAE1

Strings

LPI, xrefs: 0040DA48

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E648, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 10string

Similarity

Total matches: 10
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoW$HB
API String ID: 920390751-4214253287
Opcode ID: 39694e9d9e018d210cdbb9f258b89a02c97d0963af088e59ad359ed5c593a5a2
Instruction ID: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c
Opcode Fuzzy Hash: C6E0D8802269D0C5B86A71013254F4712E53EFBF57C8C3B51D5737156A5782A6B51D11
Instruction Fuzzy Hash: 715dbc0accc45c62a460a5bce163b1305142a94d166b4e77b7d7de915e09a29c

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E6A0
GetSystemMetrics.USER32(00000000), ref: 0042E6B5
GetSystemMetrics.USER32(00000001), ref: 0042E6C0
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E6EA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoW, xrefs: 0042E660
HB, xrefs: 0042E665, 0042E672, 0042E679
DISPLAY, xrefs: 0042E6E1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139 Total matches: 17window

Similarity

Total matches: 17
API ID: BitBltCreateCompatibleBitmapCreateCompatibleDCCreateDCSelectObject
String ID: image/jpeg
API String ID: 3045076971-3785015651
Opcode ID: dbe4b5206c04ddfa7cec44dd0e3e3f3269a9d8eacf2ec53212285f1a385d973c
Instruction ID: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a
Opcode Fuzzy Hash: 3001BD010F4EF103E475B5CC3853FF7698AEB17E8AD1A77A20CB8961839202A009F607
Instruction Fuzzy Hash: b6a9b81207b66fd46b40be05ec884117bb921c7e8fb4f30b77988d552b54040a

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488DAA
CreateCompatibleDC.GDI32(?), ref: 00488DC4
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00488DDC
SelectObject.GDI32(?,?), ref: 00488DEC
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00488E15

Part of subcall function 0045FB1C: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?), ref: 0045FB43

Part of subcall function 0045FA24: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,0045FA7A), ref: 0045FA54

Strings

image/jpeg, xrefs: 00488E70

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00488B18, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49 Total matches: 15

Similarity

Total matches: 15
API ID: GetDeviceCaps$CreateDCEnumDisplayMonitors
String ID: DISPLAY$MONSIZE0x0x0x0
API String ID: 764351534-707749442
Opcode ID: 4ad1b1e031ca4c6641bd4b991acf5b812f9c7536f9f0cc4eb1e7d2354d8ae31a
Instruction ID: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f
Opcode Fuzzy Hash: 94E0C24F6B8BE4A7600672443C237C2878AA6536918523721CB3E36A93DD472205BA15
Instruction Fuzzy Hash: 74f5256f7b05cb3d54b39a8883d8df7c51a1bc5999892e39300c9a7f2f74089f

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00488B3D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00488B47
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00488B54
EnumDisplayMonitors.USER32(00000000,00000000,004889F0,00000000), ref: 00488B85

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

DISPLAY, xrefs: 00488B6E
MONSIZE0x0x0x0, xrefs: 00488B8C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484B30, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176 Total matches: 11sleep

Similarity

Total matches: 11
API ID: Sleep
String ID: BTERRORDownload File| Error on downloading file check if you type the correct url...|$BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|$BTRESULTMass Download|Downloading File...|$DownloadFail$DownloadSuccess
API String ID: 3472027048-992323826
Opcode ID: b42a1814c42657d3903e752c8e34c8bac9066515283203de396ee156d6a45bcc
Instruction ID: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448
Opcode Fuzzy Hash: EA2181291B8DE4A7F43B295C2447B5B11119FC2A9AE8D6BB1377A3F0161A42D019723A
Instruction Fuzzy Hash: deaf5eb2465c82228c6b2b1c1dca6568de82910c53d4747ae395a037cbca2448

APIs

Part of subcall function 0048485C: InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
Part of subcall function 0048485C: InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
Part of subcall function 0048485C: HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
Part of subcall function 0048485C: InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
Part of subcall function 0048485C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
Part of subcall function 0048485C: InternetCloseHandle.WININET(00000000), ref: 00484A95

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00484D9A,?,?,?,?,00000006,00000000), ref: 00484D38

Part of subcall function 00475BD8: closesocket.WSOCK32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D2E
Part of subcall function 00475BD8: GetCurrentProcessId.KERNEL32(00000248,00000000,00475D47,?,00000000,00475D76,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00475D33

Strings

DownloadFail, xrefs: 00484CBC
BTRESULTMass Download|Downloading File...|, xrefs: 00484C52
BTERRORDownload File| Error on downloading file check if you type the correct url...|, xrefs: 00484D0C
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|, xrefs: 00484CEA
DownloadSuccess, xrefs: 00484CA2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446EDC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98 Total matches: 12timethreadwindow

Similarity

Total matches: 12
API ID: GetCurrentThreadIdSetTimerWaitMessage
String ID: 4PI$TfD
API String ID: 3709936073-2665388893
Opcode ID: a96b87b76615ec2f6bd9a49929a256f28b564bdc467e68e118c3deca706b2d51
Instruction ID: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7
Opcode Fuzzy Hash: E2F0A28141CDF053D573A6183401FD120A6F3465D5CD097723768360EE1ADF603DE14B
Instruction Fuzzy Hash: b92290f9b4a80c848b093905c5717a31533565e16cff7f57329368dd8290fbf7

APIs

Part of subcall function 00446E50: GetCursorPos.USER32 ref: 00446E57

SetTimer.USER32(00000000,00000000,?,00446E74), ref: 00446FAB

Part of subcall function 00446DEC: IsWindowVisible.USER32(00000000), ref: 00446E24
Part of subcall function 00446DEC: IsWindowEnabled.USER32(00000000), ref: 00446E35

GetCurrentThreadId.KERNEL32(00000000,00447029,?,?,?,015B8130), ref: 00446FE5
WaitMessage.USER32 ref: 00447009

Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7BF
Part of subcall function 0041F7B4: GetCurrentThreadId.KERNEL32 ref: 0041F7CE
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
Part of subcall function 0041F7B4: InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
Part of subcall function 0041F7B4: LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888
Part of subcall function 0041F7B4: EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Strings

TfD, xrefs: 00446EFE, 00446F08, 00446F59, 00446F81, 00446FBE, 00446F8E, 00446F69, 00446F6C, 00446F14, 00446F1D
4PI, xrefs: 00446FEA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431630, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: EnumClipboardFormatsGetClipboardData
String ID: 84B
API String ID: 3474394156-4139892337
Opcode ID: cbdc4fb4fee60523561006c9190bf0aca0ea1a398c4033ec61a61d99ebad6b44
Instruction ID: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb
Opcode Fuzzy Hash: 42E0D8922359D127F8C2A2903882B52360966DA6488405B709B6D7D1575551512FF28B
Instruction Fuzzy Hash: f1c5519afed1b0c95f7f2342b940afc2bc63d918938f195d0c151ba0fb7a00cb

APIs

EnumClipboardFormats.USER32(00000000), ref: 00431657
GetClipboardData.USER32(00000000), ref: 00431677
GetClipboardData.USER32(00000009), ref: 00431680
EnumClipboardFormats.USER32(00000000), ref: 0043169F

Strings

84B, xrefs: 00431665

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473208, Relevance: 7.6, APIs: 5, Instructions: 114 Total matches: 15network

Similarity

Total matches: 15
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID:
API String ID: 2271367613-0
Opcode ID: 03e2a706dc22aa37b7c7fcd13714bf4270951a4113eb29807a237e9173ed7bd6
Instruction ID: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f
Opcode Fuzzy Hash: A0F0AC403B69D14384153BC72A80F5971A2872F33ED4833999230986D7984CA018F529
Instruction Fuzzy Hash: 676ba8df3318004e6f71ddf2b158507320f00f5068622334a9372202104f6e6f

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E2E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43 Total matches: 12

Similarity

Total matches: 12
API ID: GetSystemMetrics
String ID: B$MonitorFromRect
API String ID: 96882338-2754499530
Opcode ID: 1842a50c2a1cfa3c1025dca09d4f756f79199febb49279e4604648b2b7edb610
Instruction ID: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7
Opcode Fuzzy Hash: E0D0A791112CA408509A0917702924315EE35EBC1599C0BE6976B792E797CABD329E0D
Instruction Fuzzy Hash: 6b6d6292007391345a0dd43a7380953c143f03b3d0a4cb72f8cf2ff6a2a574f7

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E331
GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromRect, xrefs: 0042E2F5
B, xrefs: 0042E2FA, 0042E307, 0042E30E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045E7B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108 Total matches: 16

Similarity

Total matches: 16
API ID: GetActiveObject
String ID: E
API String ID: 888827201-3568589458
Opcode ID: 40ff121eecf195b3d4325bc1369df9dba976ca9c7c575cd6fc43b4b0f55e6955
Instruction ID: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3
Opcode Fuzzy Hash: 13019E441FFC9152E583688426C3F4932B26B4FB4AD88B7271A77636A99905000FEE66
Instruction Fuzzy Hash: ab5b10c220aec983b32735e40d91a884d9f08e665b5304ccd80c3bfe0421d5f3

APIs

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E817

Part of subcall function 0042BE18: ProgIDFromCLSID.OLE32(?), ref: 0042BE21
Part of subcall function 0042BE18: CoTaskMemFree.OLE32(00000000), ref: 0042BE39

Part of subcall function 0042BD90: StringFromCLSID.OLE32(?), ref: 0042BD99
Part of subcall function 0042BD90: CoTaskMemFree.OLE32(00000000), ref: 0042BDB1

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetActiveObject.OLEAUT32(?,00000000,00000000), ref: 0045E89E

Part of subcall function 0042BF5C: GetComputerNameA.KERNEL32(?,00000010), ref: 0042C00D
Part of subcall function 0042BF5C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,?,00000000,0042C0FD), ref: 0042C07D
Part of subcall function 0042BF5C: CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042C0B6

Part of subcall function 00405D28: SysFreeString.OLEAUT32(7942540A), ref: 00405D36

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

E, xrefs: 0045E85F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404B2E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83 Total matches: 27

Similarity

Total matches: 27
API ID: UnhandledExceptionFilter
String ID: @
API String ID: 324268079-2726393805
Opcode ID: 404135c81fb2f5f5ca58f8e75217e0a603ea6e07d48b6f32e279dfa7f56b0152
Instruction ID: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483
Opcode Fuzzy Hash: CDF0246287E8612AD0BB6641389337E1451EF8189DC88DB307C9A306FB1A4D22A4F34C
Instruction Fuzzy Hash: c84c814e983b35b1fb5dae0ae7b91a26e19a660e9c4fa24becd8f1ddc27af483

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00404B9A
UnhandledExceptionFilter.KERNEL32(?), ref: 00404BD7

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

Strings

@, xrefs: 00404B55

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004843EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52 Total matches: 15

Similarity

Total matches: 15
API ID: CloseHandleOpenProcess
String ID: ACCESS DENIED (x64)
API String ID: 39102293-185273294
Opcode ID: a572bc7c6731d9d91b92c5675ac9d9d4c0009ce4d4d6c6579680fd2629dc7de7
Instruction ID: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b
Opcode Fuzzy Hash: EBE072420B68F08FB4738298640028100C6AE862BCC486BB5523B391DB4E49A008B6A3
Instruction Fuzzy Hash: 96dec37c68e2c881eb92ad81010518019459718a977f0d9739e81baf42475d3b

APIs

OpenProcess.KERNEL32(001F0FFF,00000000), ref: 0048440F
CloseHandle.KERNEL32(00000000), ref: 00484475

Strings

ACCESS DENIED (x64), xrefs: 004843FD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00405026, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43 Total matches: 29

Similarity

Total matches: 29
API ID: UnhandledExceptionFilter
String ID: @$@
API String ID: 324268079-1993891284
Opcode ID: 08651bee2e51f7c203f2bcbc4971cbf38b3c12a2f284cd033f2f36121a1f9316
Instruction ID: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0
Opcode Fuzzy Hash: 83E0CD9917D5514BE0755684259671E1051EF05825C4A8F316D173C1FB151A11E4F77C
Instruction Fuzzy Hash: 09869fe21a55f28103c5e2f74b220912f521d4c5ca74f0421fb5e508a020f7c0

APIs

UnhandledExceptionFilter.KERNEL32(00000006), ref: 00405047

Strings

@, xrefs: 00405080
@, xrefs: 004050A2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004319C4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43 Total matches: 10clipboard

Similarity

Total matches: 10
API ID: EnumClipboardFormats
String ID: 84B
API String ID: 3596886676-4139892337
Opcode ID: b1462d8625ddb51b2d31736c791a41412de0acc99cd040f5562c49b894f36a34
Instruction ID: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9
Opcode Fuzzy Hash: 96D0A79223ECD863E9EC2359145BD47254F08D22554440B315E1B6DA13E520181FF58F
Instruction Fuzzy Hash: 9fe3e5fa4cb89e8a0f94f97538fc14217740b2e6ec0d3bb9a3290716fcbe2ff9

APIs

EnumClipboardFormats.USER32(00000000), ref: 004319E8
EnumClipboardFormats.USER32(00000000), ref: 00431A0E

Strings

84B, xrefs: 004319F6

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: filename.exe Analysis ID: 313125

General

Root Process Name:	regdrv.exe
Process MD5:	71790AE818639A05CAE4A4C3118682CD
Total matches:	128
Initial Analysis Report:	Open
Initial sample Analysis ID:	313125
Initial sample SHA 256:	6C820C44BB9B11BAE3B4B7E27540045557F8C7B089EA11F0874165CB6968D097
Initial sample name:	73WIRE TRANSFER COPY.exe

Similar Executed Functions

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CFB4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58 Total matches: 8

Similarity

Total matches: 8
API ID: capGetDriverDescription
String ID: -
API String ID: 908034968-3695764949
Opcode ID: 539b46e002ba2863d7d2c04a7b077dd225392ffb50804089dcc6361416e5df4e
Instruction ID: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65
Opcode Fuzzy Hash: 2EE0228213B0DAF7E5A00FA03864F5C0B640F02AB8F8C9FA2A278651EE2C14404CE24F
Instruction Fuzzy Hash: 038fcc9a5db2c7f42583a832665ba5c588812794c244530825cfc74b69c29f65

APIs

capGetDriverDescriptionA.AVICAP32(00000000,?,00000105,?,00000105,00000000,0048D07B), ref: 0048CFF9

Strings

- , xrefs: 0048D026

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: Filezilla.exe Analysis ID: 401368

General

Root Process Name:	regdrv.exe
Process MD5:	1B9793452B165AC33B7E01430F3079E0
Total matches:	124
Initial Analysis Report:	Open
Initial sample Analysis ID:	401368
Initial sample SHA 256:	7170E5645CA50B4B3AB4C85EA9C24E132C73AA2A20A39247380DB117543EAA31
Initial sample name:	43PAYMENT TRANSFER INSTRUCTIONS.exe

Similar Executed Functions

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: Filezilla.exe Analysis ID: 401368

General

Root Process Name:	regdrv.exe
Process MD5:	1B9793452B165AC33B7E01430F3079E0
Total matches:	124
Initial Analysis Report:	Open
Initial sample Analysis ID:	401368
Initial sample SHA 256:	7170E5645CA50B4B3AB4C85EA9C24E132C73AA2A20A39247380DB117543EAA31
Initial sample name:	43PAYMENT TRANSFER INSTRUCTIONS.exe

Similar Executed Functions

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: ABsound.exe Analysis ID: 48661

General

Root Process Name:	regdrv.exe
Process MD5:	F51025B7377A6E1195B92C43C02AE280
Total matches:	118
Initial Analysis Report:	Open
Initial sample Analysis ID:	48661
Initial sample SHA 256:	3BC676885FCB24D6743D5EC70E405FFB4A45DC1CA41F7FCEC4863E719DCE69B3
Initial sample name:	SCAN00GOG090.exe

Similar Executed Functions

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004865E0, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 218 Total matches: 6networkwindowsleep

Similarity

Total matches: 6
API ID: DispatchMessagePeekMessageSleepTranslateMessageclosesocketconnectgethostbynameinet_addrntohsrecvshutdownsocket
String ID: AI$`cH
API String ID: 3460500621-1903509725
Opcode ID: 160ec415bf9cde1d180925ab74ab35c458bf35a5a8942b744c9c50ea7885072b
Instruction ID: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346
Opcode Fuzzy Hash: A1318B84078ED51EE4327F307841F4B1295BFD6634E4597D68772396D22F01541EF91E
Instruction Fuzzy Hash: bff04fe52ff06702a52ed8e0aeaacb9a4f873de297662bc347fa8b812471f346

APIs

Sleep.KERNEL32(000000C8), ref: 00486682
TranslateMessage.USER32(?), ref: 00486690
DispatchMessageA.USER32(?), ref: 0048669C
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004866B0
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866CE
ntohs.WSOCK32(00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 004866F8
inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486709
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 0048671F
connect.WSOCK32(00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486744

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

recv.WSOCK32(00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000), ref: 004867CD
shutdown.WSOCK32(00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001,000000C8), ref: 00486881
closesocket.WSOCK32(00000248,00000248,00000001,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,?,00000000,00000000,00000000,00000001), ref: 0048688E

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Part of subcall function 00486528: shutdown.WSOCK32(00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 004865BC
Part of subcall function 00486528: closesocket.WSOCK32(00000248,00000248,00000002,00000001,004867E2,00000248,?,00002000,00000000,00000248,00000002,00000010,015EAA88,00000774,00000002,00000001), ref: 004865C9

Strings

AI, xrefs: 0048681D
`cH, xrefs: 00486760

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048F888, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 110 Total matches: 18

Similarity

Total matches: 18
API ID: CoInitialize
String ID: .dcp$DCDATA$GENCODE$MPI$NETDATA
API String ID: 2346599605-3060965071
Opcode ID: 5b2698c0d83cdaee763fcf6fdf8d4463e192853437356cece5346bd183c87f4d
Instruction ID: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583
Opcode Fuzzy Hash: 990190478FEEC01AF2139D64387B7C100994F53F55E840B9B557D3E5A08947502BB705
Instruction Fuzzy Hash: bf1364519f653df7cd18a9a38ec8bfca38719d83700d8c9dcdc44dde4d16a583

APIs

Part of subcall function 004076D4: GetModuleHandleA.KERNEL32(00000000,?,0048F8A5,?,?,?,0000002F,00000000,00000000), ref: 004076E0

CoInitialize.OLE32(00000000), ref: 0048F8B5

Part of subcall function 0048AFE8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
Part of subcall function 0048AFE8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
Part of subcall function 0048AFE8: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Part of subcall function 0048AFE8: Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
Part of subcall function 0048AFE8: LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
Part of subcall function 0048AFE8: LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Strings

.dcp, xrefs: 0048F92D, 0048F989
DCDATA, xrefs: 0048F8E9
NETDATA, xrefs: 0048F9B6
MPI, xrefs: 0048F8BA
GENCODE, xrefs: 0048F920, 0048F97C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F3A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46 Total matches: 17

Similarity

Total matches: 17
API ID: FindResourceLoadResource
String ID: 0PI$DVCLAL
API String ID: 2359726220-2981686760
Opcode ID: 800224e7684f9999f87d4ef9ea60951ae4fbd73f3e4075522447f15a278b71b4
Instruction ID: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d
Opcode Fuzzy Hash: 8FD0C9D501084285852017F8B253FC7A2AB69DEB19D544BB05EB12D2076F5A613B6A46
Instruction Fuzzy Hash: dff53e867301dc3e22b70d9e69622cb382f13005f1a49077cfe6c5f33cacb54d

APIs

FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3C1
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3CF
FindResourceA.KERNEL32(00400000,DVCLAL,0000000A), ref: 0040F3F3
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040F3FA

Strings

0PI, xrefs: 0040F3A8, 0040F3B9, 0040F3C7
DVCLAL, xrefs: 0040F3B4, 0040F3EA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 71Docscan0039.exe Analysis ID: 387104

General

Root Process Name:	regdrv.exe
Process MD5:	F6255387376BF9BEF2E38AA57BEA40CE
Total matches:	117
Initial Analysis Report:	Open
Initial sample Analysis ID:	387104
Initial sample SHA 256:	5368B10EF08AF63CACCFBD8A5E72E130514BFE7A08D20BDA053613190F0ED35E
Initial sample name:	71Docscan0039.exe

Similar Executed Functions

Function 004818F8, Relevance: 49.2, APIs: 10, Strings: 18, Instructions: 236 Total matches: 18keyboard

Similarity

Total matches: 18
API ID: GetKeyState$CallNextHookEx$GetKeyboardStateMapVirtualKeyToAscii
String ID: [<-]$[DEL]$[DOWN]$[ESC]$[F1]$[F2]$[F3]$[F4]$[F5]$[F6]$[F7]$[F8]$[INS]$[LEFT]$[NUM_LOCK]$[RIGHT]$[SNAPSHOT]$[UP]
API String ID: 2409940449-52828794
Opcode ID: b9566e8c43a4051c07ac84d60916a303a7beb698efc358184a9cd4bc7b664fbd
Instruction ID: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73
Opcode Fuzzy Hash: 0731B68AA7159623D437E2D97101B910227BF975D0CC1A3333EDA3CAE99E900114BF25
Instruction Fuzzy Hash: 41c13876561f3d94aafb9dcaf6d0e9d475a0720bb5103e60537e1bfe84b96b73

APIs

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481948

Part of subcall function 004818E0: MapVirtualKeyA.USER32(00000000,00000000), ref: 004818E6

CallNextHookEx.USER32(000601F9,00000000,00000100,?), ref: 0048198C
GetKeyState.USER32(00000014), ref: 00481C4E
GetKeyState.USER32(00000011), ref: 00481C60
GetKeyState.USER32(000000A0), ref: 00481C75
GetKeyState.USER32(000000A1), ref: 00481C8A
GetKeyboardState.USER32(?), ref: 00481CA5
MapVirtualKeyA.USER32(00000000,00000000), ref: 00481CD7
ToAscii.USER32(00000000,00000000,00000000,00000000,?), ref: 00481CDE

Part of subcall function 00481318: ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E
Part of subcall function 00481318: CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

CallNextHookEx.USER32(000601F9,00000000,?,?), ref: 00481D3C

Strings

[LEFT], xrefs: 00481C07
[F3], xrefs: 00481B65
[DOWN], xrefs: 00481C2B
[<-], xrefs: 00481B1D
[NUM_LOCK], xrefs: 00481B2F
[RIGHT], xrefs: 00481C19
[F7], xrefs: 00481BAD
[DEL], xrefs: 00481BD1
[UP], xrefs: 00481C3D
[F4], xrefs: 00481B77
[ESC], xrefs: 00481AE7
[F8], xrefs: 00481BBF
[F5], xrefs: 00481B89
[F1], xrefs: 00481B41
[INS], xrefs: 00481BE3
[F6], xrefs: 00481B9B
[SNAPSHOT], xrefs: 00481BF5
[F2], xrefs: 00481B53

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481ED8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86 Total matches: 13

Similarity

Total matches: 13
API ID: GetModuleHandleSetWindowsHookEx
String ID: 3 H$dclogs\
API String ID: 987070476-1752027334
Opcode ID: 4b23d8581528a2a1bc1133d8afea0c2915dbad2a911779c2aade704c29555fce
Instruction ID: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01
Opcode Fuzzy Hash: 00F0D1DB07A9C683E1A2A4847C42796007D5F07115E8C8BB3473F7A4F64F164026F70A
Instruction Fuzzy Hash: b2120ba2d2fe5220d185ceeadd256cdd376e4b814eb240eb03e080d2c545ca01

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A290: GetFileAttributesA.KERNEL32(00000000,?,0048FD09,?,?,00490710,?), ref: 0040A29B

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

dclogs\, xrefs: 00481F26, 00481F4C, 00481F6E
3 H, xrefs: 00481F16, 00481F23, 00481F30

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047EAEC, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 149 Total matches: 19windowthread

Similarity

Total matches: 19
API ID: CreateThreadDispatchMessageGetMessageTranslateMessage
String ID: at $,xI$AI$AI$MPI$OFFLINEK$PWD$Unknow
API String ID: 994098336-2744674293
Opcode ID: 9eba81f8e67a9dabaeb5076a6d0005a8d272465a03f2cd78ec5fdf0e8a578f9a
Instruction ID: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5
Opcode Fuzzy Hash: E81159DA27FED40AF533B93074417C781661B2B62CE5C53A24E3B38580DE83406A7F06
Instruction Fuzzy Hash: 2241c7d72abfc068c3e0d2a9a226d44f5f768712d3663902469fbf0e50918cf5

APIs

CreateThread.KERNEL32(00000000,00000000,00482028,00000000,00000000,00499F94), ref: 0047EB8D
GetMessageA.USER32(00499F5C,00000000,00000000,00000000), ref: 0047ECBF

Part of subcall function 0040BC98: GetLocalTime.KERNEL32(?), ref: 0040BCA0

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

TranslateMessage.USER32(00499F5C), ref: 0047ECAD
DispatchMessageA.USER32(00499F5C), ref: 0047ECB3

Strings

OFFLINEK, xrefs: 0047EB61
,xI, xrefs: 0047EC45
AI, xrefs: 0047EB11, 0047EB3E
at , xrefs: 0047EC58
Unknow, xrefs: 0047EC0B
AI, xrefs: 0047EBFA, 0047EC04, 0047EC60
MPI, xrefs: 0047EB9D
PWD, xrefs: 0047EB26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004450B4, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131 Total matches: 14windowregistry

Similarity

Total matches: 14
API ID: DeleteMenu$GetClassInfoGetSystemMenuRegisterClassSendMessageSetClassLongSetWindowLong
String ID: LPI$PMD
API String ID: 387369179-807424164
Opcode ID: 32fce7ee3e6ac0926511ec3e4f7c98ab685e9b31e2d706daccbfdcda0f6d1d6b
Instruction ID: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9
Opcode Fuzzy Hash: 5601A6826E8982A2E2E03082381279F408E9F8B745C34A72E50863056EEF4A4178FF06
Instruction Fuzzy Hash: d56ce0e432135cd6d309e63aa69e29fd16821da0556a9908f65c39b580e9a6e9

APIs

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
RegisterClassA.USER32(004925FC), ref: 0044512B

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
GetSystemMenu.USER32(?,00000000), ref: 00445202
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E

Strings

PMD, xrefs: 00445107, 0044519E
LPI, xrefs: 004450DD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045DAE0, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103 Total matches: 45registrylibraryloader

Similarity

Total matches: 45
API ID: GlobalAddAtom$GetCurrentProcessIdGetCurrentThreadIdGetModuleHandleGetProcAddressRegisterWindowMessage
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 1182141063-1126952177
Opcode ID: f8c647dae10644b7e730f5649d963eb01b1b77fd7d0b633dfddc8baab0ae74fb
Instruction ID: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984
Opcode Fuzzy Hash: ED0140552F89B147427255E03449BB534B6A707F4B4CA77531B0D3A1F9AE074025FB1E
Instruction Fuzzy Hash: 6dc9b78338348dc7afd8e3f20dad2926db9f0bd5be2625dc934bf3846c6fa984

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0045DC58), ref: 0045DB01
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB34
GetCurrentThreadId.KERNEL32(?,?,00000000,0045DC58), ref: 0045DB4F
GlobalAddAtomA.KERNEL32(00000000), ref: 0045DB85
RegisterWindowMessageA.USER32(00000000,00000000,?,?,00000000,0045DC58), ref: 0045DB9B

Part of subcall function 00419AB0: InitializeCriticalSection.KERNEL32(004174C8,?,?,0045DBB1,00000000,00000000,?,?,00000000,0045DC58), ref: 00419ACF

Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(00008000), ref: 0045D701
Part of subcall function 0045D6E8: GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
Part of subcall function 0045D6E8: LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
Part of subcall function 0045D6E8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
Part of subcall function 0045D6E8: SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Part of subcall function 00443B58: GetKeyboardLayout.USER32(00000000), ref: 00443B9D
Part of subcall function 00443B58: GetDC.USER32(00000000), ref: 00443BF2
Part of subcall function 00443B58: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00443BFC
Part of subcall function 00443B58: ReleaseDC.USER32(00000000,00000000), ref: 00443C07

Part of subcall function 00444D60: LoadIconA.USER32(00400000,MAINICON), ref: 00444E57
Part of subcall function 00444D60: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
Part of subcall function 00444D60: OemToCharA.USER32(?,?), ref: 00444E9C
Part of subcall function 00444D60: CharNextA.USER32(?), ref: 00444EDB
Part of subcall function 00444D60: CharLowerA.USER32(00000000), ref: 00444EE1

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC1F
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,0045DC58), ref: 0045DC30

Strings

Delphi%.8X, xrefs: 0045DB12
ControlOfs%.8X%.8X, xrefs: 0045DB63
AnimateWindow, xrefs: 0045DC2A
USER32, xrefs: 0045DC1A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444D60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135 Total matches: 14window

Similarity

Total matches: 14
API ID: CharLowerCharNextGetModuleFileNameLoadIconOemToChar
String ID: 08B$0PI$8PI$MAINICON$\tA
API String ID: 1282013903-4242882941
Opcode ID: ff2b085099440c5ca1f97a8a9a6e2422089f81c1f58cd04fd4e646ad6fccc634
Instruction ID: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712
Opcode Fuzzy Hash: 76112C42068596E4E03967743814BC96091FB95F3AEB8AB7156F570BE48F418125F31C
Instruction Fuzzy Hash: 1a7e1b5cc773515fc1e1ce3387cb9199d5a608ac43a7cc09dd1af1e5a3a2e712

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00444E57

Part of subcall function 0042B29C: GetIconInfo.USER32(?,?), ref: 0042B2BD
Part of subcall function 0042B29C: GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B30A
Part of subcall function 0042B29C: DeleteObject.GDI32(?), ref: 0042B313

GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON), ref: 00444E89
OemToCharA.USER32(?,?), ref: 00444E9C
CharNextA.USER32(?), ref: 00444EDB
CharLowerA.USER32(00000000), ref: 00444EE1

Part of subcall function 00421140: GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
Part of subcall function 00421140: UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
Part of subcall function 00421140: RegisterClassA.USER32(00491B50), ref: 00421194
Part of subcall function 00421140: SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Part of subcall function 004450B4: GetClassInfoA.USER32(00400000,00444D50,?), ref: 00445113
Part of subcall function 004450B4: RegisterClassA.USER32(004925FC), ref: 0044512B
Part of subcall function 004450B4: SetWindowLongA.USER32(?,000000FC,?), ref: 004451C2
Part of subcall function 004450B4: SendMessageA.USER32(?,00000080,00000001,00000000), ref: 004451E4
Part of subcall function 004450B4: SetClassLongA.USER32(?,000000F2,00000000), ref: 004451F7
Part of subcall function 004450B4: GetSystemMenu.USER32(?,00000000), ref: 00445202
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F030,00000000), ref: 00445211
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F000,00000000), ref: 0044521E
Part of subcall function 004450B4: DeleteMenu.USER32(00000000,0000F010,00000000), ref: 00445235

Strings

MAINICON, xrefs: 00444E4A
08B, xrefs: 00444E38
0PI, xrefs: 00444E4F, 00444E81
8PI, xrefs: 00444F14
\tA, xrefs: 00444DBF, 00444DD1, 00444DE3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00481318, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 241 Total matches: 16thread

Similarity

Total matches: 16
API ID: CreateThreadExitThread
String ID: Bytes ($,xI$:: $:: Clipboard Change : size = $FTPSIZE$FTPUPLOADK$dclogs\
API String ID: 3550501405-4171340091
Opcode ID: 09ac825b311b0dae764bb850de313dcff2ce8638679eaf641d47129c8347c1b6
Instruction ID: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92
Opcode Fuzzy Hash: A8315BC70B99DEDBE522BCD838413A6446E1B4364DD4C1B224B397D4F14F09203AF712
Instruction Fuzzy Hash: 18a29a8180aa3c51a0af157095e3a2943ba53103427a66675ab0ae847ae08d92

APIs

ExitThread.KERNEL32(00000000,00000000,00481687,?,00000000,004816C3,?,?,?,?,0000000C,00000000,00000000), ref: 0048135E

Part of subcall function 00480F70: GetForegroundWindow.USER32 ref: 00480F8F
Part of subcall function 00480F70: GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
Part of subcall function 00480F70: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 0040BCC4: GetLocalTime.KERNEL32(?), ref: 0040BCCC

Part of subcall function 00480FEC: FindFirstFileA.KERNEL32(00000000,?,00000000,0048109E), ref: 0048101E

CreateThread.KERNEL32(00000000,00000000,Function_000810D4,00000000,00000000,00499F94), ref: 0048162D

Strings

FTPUPLOADK, xrefs: 0048159E
,xI, xrefs: 00481482, 0048151D
dclogs\, xrefs: 004813DB, 0048142A, 004815C7
FTPSIZE, xrefs: 004815F1
:: , xrefs: 00481492
Bytes (, xrefs: 0048153F
:: Clipboard Change : size = , xrefs: 0048152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480F70, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 13

Similarity

Total matches: 13
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID: 3 H
API String ID: 3098183346-888106971
Opcode ID: 38df64794ac19d1a41c58ddb3103a8d6ab7d810f67298610b47d21a238081d5e
Instruction ID: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce
Opcode Fuzzy Hash: 41D0A785074A821B944A95CC64011E692D4A171281D803B31CB257A5C9ED06001FA82B
Instruction Fuzzy Hash: fd1deb06fecc2756381cd848e34cdb6bc2d530e728f99936ce181bacb4a15fce

APIs

GetForegroundWindow.USER32 ref: 00480F8F
GetWindowTextLengthA.USER32(00000000), ref: 00480F9B
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00480FB8

Strings

3 H, xrefs: 00480FD4, 00480FA3, 00480FAE, 00480FBF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421808, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74 Total matches: 14registry

Similarity

Total matches: 14
API ID: RegCloseKeyRegCreateKeyEx
String ID: ddA
API String ID: 4178925417-2966775115
Opcode ID: 48d059bb8e84bc3192dc11d099b9e0818b120cb04e32a6abfd9049538a466001
Instruction ID: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b
Opcode Fuzzy Hash: 99E0E5461A86A377B41BB1583001B523267EB167A6C85AB72164D3EADBAA40802DAE53
Instruction Fuzzy Hash: bcac8fa413c5abe8057b39d2fbf4054ffa52545f664d92bf1e259ce37bb87d2b

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 0042187F
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004218D4,?,?,?,00000000), ref: 00421893

Strings

ddA, xrefs: 004218A7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486374, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66 Total matches: 15network

Similarity

Total matches: 15
API ID: send
String ID: #KEEPALIVE#$AI
API String ID: 2809346765-3407633610
Opcode ID: 7bd268bc54a74c8d262fb2d4f92eedc3231c4863c0e0b1ad2c3d318767d32110
Instruction ID: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009
Opcode Fuzzy Hash: 34E068800B79C40B586BB094394371320D2EE1171988473305F003F967CD40501E2E93
Instruction Fuzzy Hash: 49a0c3b4463e99ba8d4a2c6ba6a42864ce88c18c059a57f1afd8745127692009

APIs

send.WSOCK32(?,?,?,00000000,00000000,0048642A), ref: 004863F3

Strings

AI, xrefs: 004863A6
#KEEPALIVE#, xrefs: 00486399

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C91C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75 Total matches: 20

Similarity

Total matches: 20
API ID: GetVolumeInformation
String ID: %.4x:%.4x
API String ID: 1114431059-3532927987
Opcode ID: 208ca3ebf28c5cea15b573a569a7b8c9d147c1ff64dfac4d15af7b461a718bc8
Instruction ID: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf
Opcode Fuzzy Hash: F8E0E5410AC961EBB4D3F0883543BA2319593A3289C807B73B7467FDD64F05505DD847
Instruction Fuzzy Hash: 4ae5e3aba91ec141201c4859cc19818ff8a02ee484ece83311eb3b9305c11bcf

APIs

GetVolumeInformationA.KERNEL32(00000000,00000000,00000104,?,?,?,00000000,00000104), ref: 0048C974

Strings

%.4x:%.4x, xrefs: 0048C9B9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004221F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47 Total matches: 18registry

Similarity

Total matches: 18
API ID: RegQueryValueEx
String ID: ldA
API String ID: 3865029661-3200660723
Opcode ID: ec304090a766059ca8447c7e950ba422bbcd8eaba57a730efadba48c404323b5
Instruction ID: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5
Opcode Fuzzy Hash: 87D05E281E48858525DA74D93101B522241E7193938CC3F618A4C976EB6900F018EE0F
Instruction Fuzzy Hash: 1bfdbd06430122471a07604155f074e1564294130eb9d59a974828bfc3ff2ca5

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0042221B

Strings

ldA, xrefs: 00422231

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421F68, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36 Total matches: 12registry

Similarity

Total matches: 12
API ID: RegQueryValueEx
String ID: n"B
API String ID: 3865029661-2187876772
Opcode ID: 26fd4214dafc6fead50bf7e0389a84ae86561299910b3c40f1938d96c80dcc37
Instruction ID: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613
Opcode Fuzzy Hash: A2C08C4DAA204AD6E1B42500D481F0827816B633B9D826F400162222E3BA009A9FE85C
Instruction Fuzzy Hash: ad829994a2409f232093606efc953ae9cd3a3a4e40ce86781ec441e637d7f613

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,n"B,?,?,?,?,00000000,0042226E), ref: 00421F9A

Strings

n"B, xrefs: 00421F81, 00421F84

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047FA8C, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 241 Total matches: 15networkwindow

Similarity

Total matches: 15
API ID: GetDeviceCaps$recv$DeleteObjectSelectObject$BitBltCreateCompatibleBitmapCreateCompatibleDCGetDCReleaseDCclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: THUMB
API String ID: 1930283203-3798143851
Opcode ID: 678904e15847db7bac48336b7cf5e320d4a41031a0bc1ba33978a791cdb2d37c
Instruction ID: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21
Opcode Fuzzy Hash: A331F900078DE76BF6722B402983F571157FF42A21E6997A34BB4676C75FC0640EB60B
Instruction Fuzzy Hash: a6e5d2826a1bfadec34d698d0b396fa74616cd31ac2933a690057ec4ea65ec21

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,0047FD80), ref: 0047FACB
ntohs.WSOCK32(00000774), ref: 0047FAEF
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047FB03
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047FB1B
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB42
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FB59

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047FBA9
GetDC.USER32(00000000), ref: 0047FBE3
CreateCompatibleDC.GDI32(?), ref: 0047FBEF
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FBFD
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 0047FC13
SelectObject.GDI32(?,?), ref: 0047FC23
GetDeviceCaps.GDI32(?,0000000A), ref: 0047FC3E
GetDeviceCaps.GDI32(?,00000008), ref: 0047FC4A
BitBlt.GDI32(?,00000000,00000000,00000000,?,00000008,00000000,?,0000000A), ref: 0047FC58
send.WSOCK32(000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010), ref: 0047FCCD
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,?,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 0047FCE4
SelectObject.GDI32(?,?), ref: 0047FD08
DeleteObject.GDI32(?), ref: 0047FD11
DeleteObject.GDI32(?), ref: 0047FD1A
ReleaseDC.USER32(00000000,?), ref: 0047FD25
shutdown.WSOCK32(000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD54
closesocket.WSOCK32(000000FF,000000FF,00000002,00000002,00000001,00000000,00000000,0047FD80), ref: 0047FD5D

Strings

THUMB, xrefs: 0047FB7F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004801FC, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 286 Total matches: 15network

Similarity

Total matches: 15
API ID: recv$closesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2256622448-126193538
Opcode ID: edfb90c8b4475b2781d0696b1145c1d1b84b866ec8cac18c23b2313044de0fe7
Instruction ID: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459
Opcode Fuzzy Hash: FB414B0217AAD36BE0726F413943B8B00A2AF03E15D9C97E247B5267D69FA0501DB21A
Instruction Fuzzy Hash: 2d95426e1e6ee9a744b3e863ef1b8a7e344b36da7f7d1abd741f771f4a8a1459

APIs

socket.WSOCK32(00000002,00000001,00000000), ref: 00480264
ntohs.WSOCK32(00000774), ref: 00480288
inet_addr.WSOCK32(015EAA88,00000774), ref: 0048029C
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 004802B4
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 004802DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004802F2
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805DE

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0048064C,?,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0048036A
recv.WSOCK32(000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER,000000FF,?,00002000,00000000), ref: 00480401

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480451
send.WSOCK32(000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?), ref: 004804DB
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00000000,00000000,00000000,00480523,?,000000FF,?,00002000,00000000,?), ref: 004804F5
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,00000000,?,0048064C,?,FILEBOF,?,FILETRANSFER), ref: 00480583

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(000000FF,?,00002000,00000000,?,FILETRANSFER,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805B6
shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 004805D5

Strings

FILEERR, xrefs: 00480432
FILEEOF, xrefs: 00480564
FILEBOF, xrefs: 004803A6
FILEEND, xrefs: 00480597
FILETRANSFER, xrefs: 004802FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00480880, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 276 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketshutdown$connectgethostbynameinet_addrntohssocket
String ID: [.dll]$[.dll]$[.dll]$[.dll]$[.dll]
API String ID: 2855376909-126193538
Opcode ID: ce8af9afc4fc20da17b49cda6627b8ca93217772cb051443fc0079949da9fcb3
Instruction ID: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696
Opcode Fuzzy Hash: A5414C032767977AE1612F402881B952571BF03769DC8C7D257F6746EA5F60240EF31E
Instruction Fuzzy Hash: 6552a3c7cc817bd0bf0621291c8240d3f07fdfb759ea8c029e05bf9a4febe696

APIs

socket.WSOCK32(00000002,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000,00480C86), ref: 004808B5
ntohs.WSOCK32(00000774), ref: 004808D9
inet_addr.WSOCK32(015EAA88,00000774), ref: 004808ED
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00480905
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0048092C
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480943
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C2F

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480993
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88), ref: 004809C8
shutdown.WSOCK32(000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000), ref: 00480B80
closesocket.WSOCK32(000000FF,000000FF,00000002,?,?,?,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?), ref: 00480B89

Part of subcall function 00480860: send.WSOCK32(?,00000000,00000001,00000000), ref: 00480879

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 00480C26

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

FILEERR, xrefs: 00480BB6
FILEBOF, xrefs: 00480A34
FILEEOF, xrefs: 00480B0B
UPLOADFILE, xrefs: 00480969
FILEEND, xrefs: 00480B6A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0047F4E0, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 295 Total matches: 16network

Similarity

Total matches: 16
API ID: recv$closesocketconnectgethostbynameinet_addrntohsshutdownsocket
String ID: [.dll]$PLUGIN$QUICKUP
API String ID: 3502134677-2029499634
Opcode ID: e0335874fa5fb0619f753044afc16a0783dc895853cb643f68a57d403a54b849
Instruction ID: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7
Opcode Fuzzy Hash: 8E4129031BAAEA76E1723F4029C2B851A62EF12635DC4C7E287F6652D65F60241DF60E
Instruction Fuzzy Hash: e53faec40743fc20efac8ebff3967ea6891c829de5991c2041a7f36387638ce7

APIs

socket.WSOCK32(00000002,00000001,00000000,?,00000000,0047F930,?,?,?,?,00000000,00000000), ref: 0047F543
ntohs.WSOCK32(00000774), ref: 0047F567
inet_addr.WSOCK32(015EAA88,00000774), ref: 0047F57B
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 0047F593
connect.WSOCK32(000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5BA
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F5D1
closesocket.WSOCK32(000000FF,000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8C2

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?,00002000,00000000,000000FF,00000002), ref: 0047F63F
recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968,?,QUICKUP,000000FF,?), ref: 0047F66F

Part of subcall function 0047F4C0: send.WSOCK32(?,00000000,00000001,00000000), ref: 0047F4D9

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F859

Part of subcall function 0048ADCC: SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0048ADF9
Part of subcall function 0048ADCC: SHGetPathFromIDListA.SHELL32(?,?,00000000,0048AE8C,?,?,00000005,?,004856FD,00000000,00485755,?,?,00000005,00000000,00000000), ref: 0048AE09

recv.WSOCK32(000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,000000FF,?,00002000,00000000,?,0047F968,?,0047F968), ref: 0047F786

Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EEA0
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF11
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0047EF31
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0047EF60
Part of subcall function 0047EE3C: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0047EF96
Part of subcall function 0047EE3C: SetFileAttributesA.KERNEL32(00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFD6
Part of subcall function 0047EE3C: DeleteFileA.KERNEL32(00000000,00000000,00000080,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047EFFF
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0047F033
Part of subcall function 0047EE3C: PlaySoundA.WINMM(00000000,00000000,00000001,?,00000000,0047F0FE,?,?,?,00000003,00000000,00000000), ref: 0047F059
Part of subcall function 0047EE3C: CopyFileA.KERNEL32(00000000,00000000,.dcp), ref: 0047F0D1

shutdown.WSOCK32(000000FF,00000002,000000FF,?,00002000,00000000,000000FF,00000002,00000010,015EAA88,00000774), ref: 0047F8B9

Part of subcall function 00405D40: SysFreeString.OLEAUT32(?), ref: 00405D53

Strings

PLUGIN, xrefs: 0047F527
QUICKUP, xrefs: 0047F5DD
FILEEND, xrefs: 0047F7E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489244, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 150 Total matches: 15networkthread

Similarity

Total matches: 15
API ID: recv$ExitThreadclosesocketconnectgethostbynameinet_addrntohssendshutdownsocket
String ID: AI$DATAFLUX
API String ID: 272284131-425132630
Opcode ID: 11f7e99e0a7c1cc561ab01f1b1abb0142bfc906553ec9d79ada03e9cf39adde9
Instruction ID: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6
Opcode Fuzzy Hash: DA115B4513B9A77BE0626F943842B6265236B02E3CF498B3153B83A3C6DF41146DFA4D
Instruction Fuzzy Hash: 4d7be339f0e68e68ccf0b59b667884dcbebc6bd1e5886c9405f519ae2503b2a6

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00489441), ref: 004892BA
ntohs.WSOCK32(00000774), ref: 004892DC
inet_addr.WSOCK32(015EAA88,00000774), ref: 004892F0
gethostbyname.WSOCK32(015EAA88,015EAA88,00000774), ref: 00489308
connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774), ref: 0048932C
recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88,00000774), ref: 00489340

Part of subcall function 00475ECC: send.WSOCK32(?,00000000,?,00000000,00000000,00475F58), ref: 00475F38

recv.WSOCK32(00000000,?,00000400,00000000,?,0048946C,?,DATAFLUX,00000000,?,00000400,00000000,00000000,00000002,00000010,015EAA88), ref: 00489399
send.WSOCK32(00000000,?,00000000,00000000), ref: 004893E3
recv.WSOCK32(00000000,?,00000400,00000000,00000000,?,00000000,00000000), ref: 004893FA
shutdown.WSOCK32(00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 00489409
closesocket.WSOCK32(00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048940F
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000002,00000001,00000000,00000000,00489441), ref: 0048941E

Strings

DATAFLUX, xrefs: 0048934C
AI, xrefs: 0048928B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048298C, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119 Total matches: 11threadnetwork

Similarity

Total matches: 11
API ID: ExitThread$closesocket$connectgethostbynameinet_addrntohssocket
String ID: PortScanAdd$T)H
API String ID: 2395914352-1310557750
Opcode ID: 6c3104e507475618e3898607272650a69bca6dc046555386402c23f344340102
Instruction ID: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501
Opcode Fuzzy Hash: 1101680197ABE83FA05261C43881B8224A9AF57288CC8AFB2433A3E7C35D04300EF785
Instruction Fuzzy Hash: 72399fd579b68a6a0bb22d5de318f24183f317e071505d54d2110904ee01d501

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 004829FE
ExitThread.KERNEL32(00000000,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A0C
ntohs.WSOCK32(?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A18
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A2A
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A40
ExitThread.KERNEL32(00000000,00000000,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A4D
connect.WSOCK32(00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482A63
ExitThread.KERNEL32(00000000,00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AB2

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

closesocket.WSOCK32(00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482A9C
ExitThread.KERNEL32(00000000,00000000,?,00482B30,?,PortScanAdd,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1), ref: 00482AA3
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,?,00000002,00000001,00000000,00000000,00482AC1,?,00000000,00482B03), ref: 00482AAB

Strings

T)H, xrefs: 004829A6, 00482AEF
PortScanAdd, xrefs: 00482A6C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004836D8, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 99 Total matches: 11threadnetworksleep

Similarity

Total matches: 11
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID: POST /index.php/1.0Host:
API String ID: 2628901859-3522423011
Opcode ID: b04dd301db87c41df85ba2753455f3376e44383b7eb4be01a122875681284b07
Instruction ID: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2
Opcode Fuzzy Hash: E6F044005B779ABFC4611EC43C51B8205AA9353A64F85ABE2867A3AED6AD25100FF641
Instruction Fuzzy Hash: dc3bae1cbba1b9e51a9e3778eeee895e0839b03ccea3d6e2fe0063a405e053e2

APIs

socket.WSOCK32(00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048373A
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483747
inet_addr.WSOCK32(?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483762
ntohs.WSOCK32(00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048376B
gethostbyname.WSOCK32(?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048377B
ExitThread.KERNEL32(00000000,?,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 00483788
connect.WSOCK32(00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 0048379E
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ,00000000,00483817), ref: 004837A9

Part of subcall function 00475F68: send.WSOCK32(?,00000000,?,00000000,00000000,00475FCA), ref: 00475FAF

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?,POST /index.php/1.0Host: ), ref: 004837C7
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000,?), ref: 004837DF
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854,00000000), ref: 004837E5
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000050,?,00000002,00000001,00000006,00483854), ref: 004837EC

Strings

POST /index.php/1.0Host: , xrefs: 00483708

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482630, Relevance: 18.1, APIs: 12, Instructions: 116 Total matches: 16threadnetworksleep

Similarity

Total matches: 16
API ID: ExitThread$Sleepclosesocketconnectgethostbynameinet_addrntohsrecvsocket
String ID:
API String ID: 2628901859-0
Opcode ID: a3aaf1e794ac1aa69d03c8f9e66797259df72f874d13839bb17dd00c6b42194d
Instruction ID: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a
Opcode Fuzzy Hash: 7801D0011B764DBFC4611E846C8239311A7A763899DC5EBB1433A395D34E00202DFE46
Instruction Fuzzy Hash: ff6d9d03150e41bc14cdbddfb540e41f41725cc753a621d047e760d4192c390a

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000,004827A8), ref: 004826CB
ExitThread.KERNEL32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826D8
inet_addr.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826F3
ntohs.WSOCK32(00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 004826FC
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048270C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482719
connect.WSOCK32(00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048272F
ExitThread.KERNEL32(00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 0048273A

Part of subcall function 004824B0: send.WSOCK32(?,?,00000400,00000000,00000000,00482542), ref: 00482525

recv.WSOCK32(00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482758
Sleep.KERNEL32(000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000,004827A8), ref: 00482770
closesocket.WSOCK32(00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?,00000000), ref: 00482776
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,00000400,00000000,00000000,00000002,00000010,00000000,00000000,00000002,00000001,00000006,?), ref: 0048277D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004821A0, Relevance: 15.1, APIs: 10, Instructions: 112 Total matches: 15threadnetworksleep

Similarity

Total matches: 15
API ID: ExitThread$Sleepclosesocketgethostbynameinet_addrntohssendtosocket
String ID:
API String ID: 1359030137-0
Opcode ID: 9f2e935b6ee09f04cbe2534d435647e5a9c7a25d7308ce71f3340d3606cd1e00
Instruction ID: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef
Opcode Fuzzy Hash: BC0197011B76997BD8612EC42C8335325A7E363498E85ABB2863A3A5C34E00303EFD4A
Instruction Fuzzy Hash: ac1de70ce42b68397a6b2ea81eb33c5fd22f812bdd7d349b67f520e68fdd8bef

APIs

socket.WSOCK32(00000002,00000002,00000000,?,00000000,00482302), ref: 0048223B
ExitThread.KERNEL32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482248
inet_addr.WSOCK32(00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482263
ntohs.WSOCK32(00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048226C
gethostbyname.WSOCK32(00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 0048227C
ExitThread.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 00482289
sendto.WSOCK32(00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822B2
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822CA
closesocket.WSOCK32(00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000,00482302), ref: 004822D0
ExitThread.KERNEL32(00000000,00000000,000003E8,00000000,?,?,00000000,00000002,00000010,00000000,00000000,00000002,00000002,00000000,?,00000000), ref: 004822D7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E370, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46 Total matches: 14window

Similarity

Total matches: 14
API ID: GetWindowPlacementGetWindowRectIsIconic
String ID: MonitorFromWindow$pB
API String ID: 1187573753-2555291889
Opcode ID: b2662cef33c9ce970c581efdfdde34e0c8b40e940518fa378c404c4b73bde14f
Instruction ID: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520
Opcode Fuzzy Hash: E2D0977303280A045DC34844302880B2A322AD3C3188C3FE182332B3D34B8630BCCF1D
Instruction Fuzzy Hash: 5a6b2a18135ea14e651d4e6cb58f3d6b41c3321aed1c605d56f3d84144375520

APIs

IsIconic.USER32(?), ref: 0042E3B9
GetWindowPlacement.USER32(?,?), ref: 0042E3C7
GetWindowRect.USER32(?,?), ref: 0042E3D3

Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000000), ref: 0042E331
Part of subcall function 0042E2E0: GetSystemMetrics.USER32(00000001), ref: 0042E33D

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

pB, xrefs: 0042E38C, 0042E399, 0042E3A0
MonitorFromWindow, xrefs: 0042E387

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004754C4, Relevance: 87.7, APIs: 29, Strings: 21, Instructions: 233 Total matches: 21libraryloaderprocess

Similarity

Total matches: 21
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$CreateMutexA$CreateProcessA$D$DCPERSFWBP$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$SetLastError$Sleep$TerminateProcess$WaitForSingleObject$kernel32$[FILE]$notepad$user32$[FILE]
API String ID: 3751337051-3523759359
Opcode ID: 948186da047cc935dcd349cc6fe59913c298c2f7fe37e158e253dfef2729ac1f
Instruction ID: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76
Opcode Fuzzy Hash: 0C31B4E666B8F349E6362E4830D46BC26C1A687F3DB52D7004A37B27C46E810407F776
Instruction Fuzzy Hash: 4cc698827aad1f96db961776656dbb42e561cfa105640199e72939f2d3a7da76

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475590

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756B4
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756BA
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756CB
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756D1
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829,?,?,?,?,?,00490626), ref: 004756E3
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756E9
GetModuleHandleA.KERNEL32(user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 004756FB
GetProcAddress.KERNEL32(00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475701
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00475829), ref: 00475713
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475719
GetModuleHandleA.KERNEL32(kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 0047572B
GetProcAddress.KERNEL32(00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475731
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 00475743
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 00475749
GetModuleHandleA.KERNEL32(kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000,kernel32), ref: 0047575B
GetProcAddress.KERNEL32(00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32,MessageBoxA,00000000), ref: 00475761
GetModuleHandleA.KERNEL32(kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000,user32), ref: 00475773
GetProcAddress.KERNEL32(00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32,CloseHandle,00000000), ref: 00475779
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000,kernel32), ref: 0047578B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32,CreateProcessA,00000000), ref: 00475791
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000,kernel32), ref: 004757A3
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32,GetLastError,00000000), ref: 004757A9
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000,kernel32), ref: 004757BB
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32,SetLastError,00000000), ref: 004757C1
GetModuleHandleA.KERNEL32(kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000,kernel32), ref: 004757D3
GetProcAddress.KERNEL32(00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32,CreateMutexA,00000000), ref: 004757D9
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000,kernel32), ref: 004757EB
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,WaitForSingleObject,00000000,kernel32,TerminateProcess,00000000,kernel32,ExitThread,00000000,kernel32,GetExitCodeProcess,00000000), ref: 004757F1

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

ExitThread, xrefs: 00475622, 00475799
kernel32, xrefs: 004756AF, 004756C6, 004756DE, 0047570E, 00475726, 0047573E, 00475756, 0047576E, 00475786, 0047579E, 004757B6, 004757CE, 004757E6
GetProcAddress, xrefs: 004756C1
TerminateProcess, xrefs: 0047564C, 004757B1
notepad, xrefs: 00475543
CreateMutexA, xrefs: 00475604, 00475769
kernel32.dll, xrefs: 0047559B
user32.dll, xrefs: 004755AA
SetLastError, xrefs: 004755F5, 00475751
D, xrefs: 00475517
DCPERSFWBP, xrefs: 00475563
Sleep, xrefs: 004755B9, 004756D9
GetExitCodeProcess, xrefs: 0047565B, 00475781
user32, xrefs: 004756F6
WaitForSingleObject, xrefs: 0047567E, 004757C9
LoadLibraryA, xrefs: 004756AA
OpenProcess, xrefs: 00475631, 004757E1
MessageBoxA, xrefs: 004755C8, 004756F1
CreateProcessA, xrefs: 004755D7, 00475721
GetLastError, xrefs: 004755E6, 00475739
CloseHandle, xrefs: 00475613, 00475709

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474F80, Relevance: 68.4, APIs: 23, Strings: 16, Instructions: 193 Total matches: 16libraryloaderprocess

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddress$CreateProcess
String ID: CloseHandle$D$DeleteFileA$ExitThread$GetExitCodeProcess$GetLastError$GetProcAddress$LoadLibraryA$MessageBoxA$OpenProcess$Sleep$TerminateProcess$kernel32$[FILE]$notepad$[FILE]
API String ID: 3751337051-1992750546
Opcode ID: f3e5bd14b9eca4547e1d82111e60eaf505a3b72a2acd12d9f4d60f775fac33f7
Instruction ID: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b
Opcode Fuzzy Hash: 6C21A7BE2678E349F6766E1834D567C2491BA46A38B4AEB010237376C44F91000BFF76
Instruction Fuzzy Hash: 521cd1f5f1d68558a350981a4af58b67496248f6491df8a54ee4dd11dd84c66b

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047500B

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

Part of subcall function 00474D58: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?,00000000,00000000,00000000,?,004755A7), ref: 00474D98
Part of subcall function 00474D58: WriteProcessMemory.KERNEL32(?,00000000,kernel32.dll,?,?,?,00000000,?,00003000,00000040,00000000,00474DDE,?,DCPERSFWBP,?,?), ref: 00474DBE

GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 0047511C
GetProcAddress.KERNEL32(00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000,00475246), ref: 00475122
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00000000), ref: 00475133
GetProcAddress.KERNEL32(00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00475139
GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000), ref: 0047514B
GetProcAddress.KERNEL32(00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000,08000000,00000000), ref: 00475151
GetModuleHandleA.KERNEL32(kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000,00000000), ref: 00475163
GetProcAddress.KERNEL32(00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000,00000000,00000000), ref: 00475169
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000,00000000), ref: 0047517B
GetProcAddress.KERNEL32(00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32,LoadLibraryA,00000000), ref: 00475181
GetModuleHandleA.KERNEL32(kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000,kernel32), ref: 00475193
GetProcAddress.KERNEL32(00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32,GetProcAddress,00000000), ref: 00475199
GetModuleHandleA.KERNEL32(kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000,kernel32), ref: 004751AB
GetProcAddress.KERNEL32(00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32,Sleep,00000000), ref: 004751B1
GetModuleHandleA.KERNEL32(kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000,kernel32), ref: 004751C3
GetProcAddress.KERNEL32(00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32,MessageBoxA,00000000), ref: 004751C9
GetModuleHandleA.KERNEL32(kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000,kernel32), ref: 004751DB
GetProcAddress.KERNEL32(00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32,ExitThread,00000000), ref: 004751E1
GetModuleHandleA.KERNEL32(kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000,kernel32), ref: 004751F3
GetProcAddress.KERNEL32(00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32,DeleteFileA,00000000), ref: 004751F9
GetModuleHandleA.KERNEL32(kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000,kernel32), ref: 0047520B
GetProcAddress.KERNEL32(00000000,kernel32,GetExitCodeProcess,00000000,kernel32,OpenProcess,00000000,kernel32,CloseHandle,00000000,kernel32,TerminateProcess,00000000,kernel32,GetLastError,00000000), ref: 00475211

Part of subcall function 00474E20: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
Part of subcall function 00474E20: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
Part of subcall function 00474E20: ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Part of subcall function 0040F234: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0048F90F,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040F24B

Strings

DeleteFileA, xrefs: 0047509B, 00475189
user32.dll, xrefs: 0047505F
LoadLibraryA, xrefs: 00475112
Sleep, xrefs: 0047506E, 00475141
notepad, xrefs: 00475025
OpenProcess, xrefs: 004750D7, 004751E9
kernel32.dll, xrefs: 00475050
GetProcAddress, xrefs: 00475129
ExitThread, xrefs: 0047508C, 00475171
TerminateProcess, xrefs: 004750B9, 004751B9
kernel32, xrefs: 00475117, 0047512E, 00475146, 0047515E, 00475176, 0047518E, 004751A6, 004751BE, 004751D6, 004751EE, 00475206
MessageBoxA, xrefs: 0047507D, 00475159
CloseHandle, xrefs: 004750C8, 004751D1
GetLastError, xrefs: 004750AA, 004751A1
GetExitCodeProcess, xrefs: 004750E6, 00475201
D, xrefs: 00474FC9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00489580, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 221 Total matches: 17pipewindowsleep

Similarity

Total matches: 17
API ID: CloseHandleCreatePipePeekNamedPipe$CreateProcessDispatchMessageGetEnvironmentVariableGetExitCodeProcessOemToCharPeekMessageReadFileSleepTerminateProcessTranslateMessage
String ID: COMSPEC$D
API String ID: 4101216710-942777791
Opcode ID: 98b6063c36b7c4f9ee270a2712a57a54142ac9cf893dea9da1c9317ddc3726ed
Instruction ID: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f
Opcode Fuzzy Hash: 6221AE4207BD57A3E5972A046403B841372FF43A68F6CA7A2A6FD367E9CE400099FE14
Instruction Fuzzy Hash: f750be379b028122e82cf807415e9f3aafae13f02fb218c552ebf65ada2f023f

APIs

CreatePipe.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004895ED
CreatePipe.KERNEL32(?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 004895FD
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104,?,?,00000000,00000000,FFFFFFFF,?,00000000,00000000), ref: 00489613
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?), ref: 00489668
Sleep.KERNEL32(000007D0,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?,?), ref: 00489685
TranslateMessage.USER32(?), ref: 00489693
DispatchMessageA.USER32(?), ref: 0048969F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004896B3
GetExitCodeProcess.KERNEL32(?,?), ref: 004896C8
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,00000000,00000001,?,?,?), ref: 004896F2
ReadFile.KERNEL32(FFFFFFFF,?,00002400,00000000,00000000), ref: 00489717
OemToCharA.USER32(?,?), ref: 0048972E
PeekNamedPipe.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,?,00002400,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 00489781

Part of subcall function 0041FA34: GetLastError.KERNEL32(00486514,00000004,0048650C,00000000,0041FADE,?,00499F5C), ref: 0041FA94

Part of subcall function 0041FC40: SetThreadPriority.KERNEL32(?,015CDB28,00499F5C,?,0047EC9E,?,?,?,00000000,00000000,?,0049062B), ref: 0041FC55

Part of subcall function 0041FEF0: ResumeThread.KERNEL32(?,00499F5C,?,0047ECAA,?,?,?,00000000,00000000,?,0049062B), ref: 0041FEF8

Part of subcall function 0041FF20: GetCurrentThreadId.KERNEL32 ref: 0041FF2E
Part of subcall function 0041FF20: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FF5A
Part of subcall function 0041FF20: MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0041FF6F
Part of subcall function 0041FF20: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041FF9C
Part of subcall function 0041FF20: GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0041FFA7

TerminateProcess.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,COMSPEC,?,00000104,?), ref: 0048980A
CloseHandle.KERNEL32(?), ref: 00489813
CloseHandle.KERNEL32(?), ref: 0048981C

Strings

D, xrefs: 00489627
COMSPEC, xrefs: 0048960E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472E88, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 199 Total matches: 19network

Similarity

Total matches: 19
API ID: inet_ntoa$WSAIoctlclosesocketsocket
String ID: Broadcast adress : $ Broadcasts : NO$ Broadcasts : YES$ IP : $ IP Mask : $ Loopback interface$ Network interface$ Status : DOWN$ Status : UP
API String ID: 2271367613-1810517698
Opcode ID: 3d4dbe25dc82bdd7fd028c6f91bddee7ad6dc1d8a686e5486e056cbc58026438
Instruction ID: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172
Opcode Fuzzy Hash: E22138C22338E1B2D42A39C6B500F80B651671FB7EF481F9652B6FFDC26E488005A749
Instruction Fuzzy Hash: 018b2a24353d4e3a07e7e79b390110fecb7011e72bd4e8fb6250bb24c4a02172

APIs

socket.WSOCK32(00000002,00000001,00000000,00000000,00473108), ref: 00472EC7
WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 00472F08
inet_ntoa.WSOCK32(?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F40
inet_ntoa.WSOCK32(?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001,00000000,00000000,00473108), ref: 00472F81
inet_ntoa.WSOCK32(?,00473130,?, IP Mask : ,?,?,00473130,?, IP : ,?,?,00000000,004730D5,?,00000002,00000001), ref: 00472FC2
closesocket.WSOCK32(000000FF,00000002,00000001,00000000,00000000,00473108), ref: 004730E3

Strings

Broadcast adress : , xrefs: 00472FCB
Status : UP, xrefs: 00473001
IP Mask : , xrefs: 00472F8A
Broadcasts : NO, xrefs: 00473057
Status : DOWN, xrefs: 0047301B
IP : , xrefs: 00472F49
Broadcasts : YES, xrefs: 0047303D
Network interface, xrefs: 00473091
Loopback interface, xrefs: 00473077

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045944C, Relevance: 25.8, APIs: 17, Instructions: 258 Total matches: 99

Similarity

Total matches: 99
API ID: OffsetRect$MapWindowPoints$DrawEdgeExcludeClipRectFillRectGetClientRectGetRgnBoxGetWindowDCGetWindowLongGetWindowRectInflateRectIntersectClipRectIntersectRectReleaseDC
String ID:
API String ID: 549690890-0
Opcode ID: 4a5933c45267f4417683cc1ac528043082b1f46eca0dcd21c58a50742ec4aa88
Instruction ID: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924
Opcode Fuzzy Hash: DE316B4D01AF1663F073A6401983F7A1516FF43A89CD837F27EE63235E27662066AA03
Instruction Fuzzy Hash: 2ecbe6093ff51080a4fa1a6c7503b414327ded251fe39163baabcde2d7402924

APIs

GetWindowDC.USER32(00000000), ref: 00459480
GetClientRect.USER32(00000000,?), ref: 004594A3
GetWindowRect.USER32(00000000,?), ref: 004594B5
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004594CB
OffsetRect.USER32(?,?,?), ref: 004594E0
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004594F9
InflateRect.USER32(?,00000000,00000000), ref: 00459517
GetWindowLongA.USER32(00000000,000000F0), ref: 00459531
DrawEdge.USER32(?,?,?,00000008), ref: 00459630
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00459649
OffsetRect.USER32(?,?,?), ref: 00459673
GetRgnBox.GDI32(?,?), ref: 00459682
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00459698
IntersectRect.USER32(?,?,?), ref: 004596A9
OffsetRect.USER32(?,?,?), ref: 004596BE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 004596DA
ReleaseDC.USER32(00000000,?), ref: 004596F9

Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
Part of subcall function 004328FC: GetWindowRect.USER32(00000000,?), ref: 00432932
Part of subcall function 004328FC: OffsetRect.USER32(?,?,?), ref: 00432947
Part of subcall function 004328FC: GetWindowDC.USER32(00000000), ref: 00432955
Part of subcall function 004328FC: GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000002), ref: 0043299B
Part of subcall function 004328FC: GetSystemMetrics.USER32(00000003), ref: 004329A4
Part of subcall function 004328FC: InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
Part of subcall function 004328FC: GetSysColorBrush.USER32(0000000F), ref: 004329E0
Part of subcall function 004328FC: FillRect.USER32(?,?,00000000), ref: 004329EE
Part of subcall function 004328FC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
Part of subcall function 004328FC: ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474208, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49 Total matches: 17libraryloader

Similarity

Total matches: 17
API ID: GetProcAddress$LoadLibrary
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanGetAvailableNetworkList$WlanOpenHandle$WlanQueryInterface$[FILE]
API String ID: 2209490600-3498334979
Opcode ID: 5146edb54a207047eae4574c9a27975307ac735bfb4468aea4e07443cdf6e803
Instruction ID: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334
Opcode Fuzzy Hash: 50E0B6FD90BAA808D37089CC31962431D6E7BE332DA621E00086A230902B4FF2766935
Instruction Fuzzy Hash: f89292433987c39bc7d9e273a1951c9a278ebb56a2de24d0a3e4590a01f53334

APIs

LoadLibraryA.KERNEL32(wlanapi.dll), ref: 00474216
GetProcAddress.KERNEL32(00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047422E
GetProcAddress.KERNEL32(00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474249
GetProcAddress.KERNEL32(00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 00474264
GetProcAddress.KERNEL32(00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047427F
GetProcAddress.KERNEL32(00000000,WlanGetAvailableNetworkList,00000000,WlanQueryInterface,00000000,WlanEnumInterfaces,00000000,WlanCloseHandle,00000000,WlanOpenHandle,wlanapi.dll,?,?,0047466E,00000000,00474A0A), ref: 0047429A

Strings

WlanOpenHandle, xrefs: 00474226
wlanapi.dll, xrefs: 00474211
WlanGetAvailableNetworkList, xrefs: 00474292
WlanQueryInterface, xrefs: 00474277
WlanEnumInterfaces, xrefs: 0047425C
WlanCloseHandle, xrefs: 00474241

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00462C84, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 197 Total matches: 15com

Similarity

Total matches: 15
API ID: CoCreateInstance
String ID: )I$,*I$\)I$l)I$|*I
API String ID: 206711758-730570145
Opcode ID: 8999b16d8999ffb1a836ee872fd39b0ec17270f551e5dbcbb19cdec74f308aa7
Instruction ID: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37
Opcode Fuzzy Hash: D1212B50148E6143E69475A53D92FAF11533BAB341E68BA6821DF30396CF01619BBF86
Instruction Fuzzy Hash: 5b7ba80d8099b44c35cabc3879083aa44c7049928a8bf14f2fd8312944c66e37

APIs

CoCreateInstance.OLE32(00492A2C,00000000,00000003,0049296C,00000000), ref: 00462CC9
CoCreateInstance.OLE32(00492A8C,00000000,00000001,00462EC8,00000000), ref: 00462CF4
CoCreateInstance.OLE32(00492A9C,00000000,00000001,0049295C,00000000), ref: 00462D20
CoCreateInstance.OLE32(00492A1C,00000000,00000003,004929AC,00000000), ref: 00462E12

Strings

,*I, xrefs: 00462CC3
l)I, xrefs: 00462CB9
)I, xrefs: 00462E4B
\)I, xrefs: 00462D10
|*I, xrefs: 00462D3C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048485C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185 Total matches: 16networkfile

Similarity

Total matches: 16
API ID: HttpQueryInfoInternetCloseHandleInternetOpenInternetOpenUrlInternetReadFileShellExecute
String ID: 200$Mozilla$open
API String ID: 3970492845-1265730427
Opcode ID: 3dc36a46b375420b33b8be952117d0a4158fa58e722c19be8f44cfd6d7effa21
Instruction ID: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f
Opcode Fuzzy Hash: B0213B401399C252F8372E512C83B9D101FDF82639F8857F197B9396D5EF48400DFA9A
Instruction Fuzzy Hash: c028a43d89851b06b6d8b312316828d3eee8359a726d0fa9a5f52c6647499b4f

APIs

InternetOpenA.WININET(Mozilla,00000001,00000000,00000000,00000000), ref: 0048490C
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,04000000,00000000), ref: 00484944
HttpQueryInfoA.WININET(00000000,00000013,?,00000200,?), ref: 0048497D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00484A04
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00484A75
InternetCloseHandle.WININET(00000000), ref: 00484A95

Strings

200, xrefs: 004849BD
Mozilla, xrefs: 00484907
open, xrefs: 00484A6E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00465598, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194 Total matches: 72libraryloader

Similarity

Total matches: 72
API ID: GetProcAddress$IsBadReadPtrLoadLibrary
String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
API String ID: 1616315271-1384308123
Opcode ID: eb45955122e677bac4d3e7b6686ec9cba9f45ae3ef48f3e0b242e9a0c3719a7c
Instruction ID: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6
Opcode Fuzzy Hash: 0B214C420345E0D3ED39A2081CC7FB15345EF639B4D88AB671ABB667FA2985500AF50D
Instruction Fuzzy Hash: d25742ef4bc1d51b96969838743a3f95180d575e7d72d5f7fe617812cb4009d6

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00465607
GetProcAddress.KERNEL32(?,?), ref: 00465737
GetProcAddress.KERNEL32(?,?), ref: 0046576B
IsBadReadPtr.KERNEL32(?,00000014,00000000,004657D8), ref: 004657A9

Strings

BuildImportTable: can't load library: , xrefs: 00465644
BuildImportTable: ReallocMemory failed, xrefs: 0046568D
BuildImportTable: GetProcAddress failed, xrefs: 0046577C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482E34, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 193 Total matches: 16sleepthread

Similarity

Total matches: 16
API ID: Sleep$CreateThreadExitThread
String ID: .255$127.0.0.1$LanList
API String ID: 1155887905-2919614961
Opcode ID: f9aceb7697053a60f8f2203743265727de6b3c16a25ac160ebf033b594fe70c2
Instruction ID: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98
Opcode Fuzzy Hash: 62215C820F87955EED616C807C41FA701315FB7649D4FAB622A6B3A1A74E032016B743
Instruction Fuzzy Hash: 67bc21a589158fc7afeef0b5d02271f7d18e2bfc14a4273c93325a5ef21c2c98

APIs

ExitThread.KERNEL32(00000000,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 004830A6

Part of subcall function 00473208: socket.WSOCK32(00000002,00000001,00000000,00000000,00473339), ref: 0047323B
Part of subcall function 00473208: WSAIoctl.WS2_32(000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000), ref: 0047327C
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000), ref: 004732AC
Part of subcall function 00473208: inet_ntoa.WSOCK32(?,?,000000FF,4004747F,00000000,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001), ref: 004732E8
Part of subcall function 00473208: closesocket.WSOCK32(000000FF,00000000,?,00000400,?,00000000,00000000,00000000,0047330B,?,00000002,00000001,00000000,00000000,00473339), ref: 00473319

CreateThread.KERNEL32(00000000,00000000,Function_00082CDC,?,00000000,?), ref: 00483005
Sleep.KERNEL32(00000032,00000000,00000000,Function_00082CDC,?,00000000,?,?,00000000,00000000,00483104,?,00483104,?,00483104,?), ref: 0048300C
Sleep.KERNEL32(00000064,.255,?,00483104,?,00483104,?,?,00000000,004830D3,?,?,?,?,00000000,00000000), ref: 00483054

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

127.0.0.1, xrefs: 00482E9D
LanList, xrefs: 0048306B
.255, xrefs: 0048303C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041F7B4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109 Total matches: 16thread

Similarity

Total matches: 16
API ID: EnterCriticalSectionGetCurrentThreadId$InterlockedExchangeLeaveCriticalSection
String ID: 4PI
API String ID: 853095497-1771581502
Opcode ID: e7ac2c5012fa839d146893c0705f22c4635eb548c5d0be0363ce03b581d14a20
Instruction ID: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195
Opcode Fuzzy Hash: 46F0268206D8F1379472678830D77370A8AC33154EC85EB52162C376EB1D05D05DE75B
Instruction Fuzzy Hash: e450c16710015a04d827bdf36dba62923dd4328c0a0834b889eda6f9c026b195

APIs

GetCurrentThreadId.KERNEL32 ref: 0041F7BF
GetCurrentThreadId.KERNEL32 ref: 0041F7CE
EnterCriticalSection.KERNEL32(004999D0,0041F904,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F8F7

Part of subcall function 0041F774: WaitForSingleObject.KERNEL32(000000EC), ref: 0041F77E

Part of subcall function 0041F768: ResetEvent.KERNEL32(000000EC,0041F809), ref: 0041F76E

EnterCriticalSection.KERNEL32(004999D0), ref: 0041F813
InterlockedExchange.KERNEL32(00491B2C,?), ref: 0041F82F
LeaveCriticalSection.KERNEL32(004999D0,00000000,0041F95A,?,00000000,0041F979,?,004999D0), ref: 0041F888

Strings

4PI, xrefs: 0041F7C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00449834, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80 Total matches: 16libraryloader

Similarity

Total matches: 16
API ID: GetModuleHandleGetProcAddressImageList_Write
String ID: $qA$ImageList_WriteEx$[FILE]$[FILE]
API String ID: 3028349119-1134023085
Opcode ID: 9b6b780f1487285524870f905d0420896c1378cf45dbecae2d97141bf0e14d48
Instruction ID: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666
Opcode Fuzzy Hash: 29F059C6A0CCF14AE7175584B0AB66107F0BB9DD5F8C87710081C710A90F95A13DFB56
Instruction Fuzzy Hash: 043155abd17610354dead4f4dd3580dd0e6203469d1d2f069e389e4af6e4a666

APIs

ImageList_Write.COMCTL32(00000000,?,00000000,0044992E), ref: 004498F8

Part of subcall function 0040E3A4: GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,0040E47A), ref: 0040E3E6
Part of subcall function 0040E3A4: GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E41B
Part of subcall function 0040E3A4: VerQueryValueA.VERSION(?,0040E48C,?,?,00000000,?,00000000,?,00000000,0040E45D,?,00000000,?,00000000,0040E47A), ref: 0040E435

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00449868
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00449879

Strings

comctl32.dll, xrefs: 00449863
ImageList_WriteEx, xrefs: 00449873
$qA, xrefs: 004498D4, 00449909
comctl32.dll, xrefs: 00449848

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E574, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68 Total matches: 14string

Similarity

Total matches: 14
API ID: GetSystemMetrics$SystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfoA$tB
API String ID: 920390751-4256241499
Opcode ID: 9a94b6fb1edcb78a0c9a66795ebd84d1eeb67d07ab6805deb2fcd0b49b846e84
Instruction ID: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404
Opcode Fuzzy Hash: 78E068C132298081B86A31013160F42129039E7E17E883BC1D4F77056B8B8275651D08
Instruction Fuzzy Hash: eda70eb6c6723b3d8ed12733fddff3b40501d2063d2ec80ebb02aba850291404

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E5CC
GetSystemMetrics.USER32(00000000), ref: 0042E5E1
GetSystemMetrics.USER32(00000001), ref: 0042E5EC
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E616

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

GetMonitorInfoA, xrefs: 0042E58C
tB, xrefs: 0042E591, 0042E59E, 0042E5A5
DISPLAY, xrefs: 0042E60D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442C9C, Relevance: 12.2, APIs: 8, Instructions: 154 Total matches: 2310window

Similarity

Total matches: 2310
API ID: SendMessage$GetActiveWindowGetCapture$ReleaseCapture
String ID:
API String ID: 3360342259-0
Opcode ID: 2e7a3c9d637816ea08647afd4d8ce4a3829e05fa187c32cef18f4a4206af3d5d
Instruction ID: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7
Opcode Fuzzy Hash: 8F1150111E8E7417F8A3A1C8349BB23A067F74FA59CC0BF71479A610D557588869D707
Instruction Fuzzy Hash: f313f7327938110f0d474da6a120560d1e1833014bacf3192a9076ddb3ef11f7

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetCapture.USER32 ref: 00442D0D
GetCapture.USER32 ref: 00442D1C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00442D22
ReleaseCapture.USER32 ref: 00442D27
GetActiveWindow.USER32 ref: 00442D78

Part of subcall function 004442A8: GetCursorPos.USER32 ref: 004442C3
Part of subcall function 004442A8: WindowFromPoint.USER32(?,?), ref: 004442D0
Part of subcall function 004442A8: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
Part of subcall function 004442A8: GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
Part of subcall function 004442A8: SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
Part of subcall function 004442A8: SetCursor.USER32(00000000), ref: 00444332

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00442E0E
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00442E7B
GetActiveWindow.USER32 ref: 00442E8A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00487488, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155 Total matches: 10

Similarity

Total matches: 10
API ID: EnterCriticalSectionLeaveCriticalSectionclosesocket
String ID: FpH
API String ID: 290008508-3698235444
Opcode ID: be6004bcf5111565a748ebf748fe8f94cb6dfae83d2399967abd75ac40b7e6c4
Instruction ID: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582
Opcode Fuzzy Hash: 2C11B6219B4656ABDD15ED006C8F38532AE1BABCCAD9A83F2B27F3545E1A0331057292
Instruction Fuzzy Hash: 3d9c9e21102527a3ccf10666a7ac4716c4c3e43fa569496a7f805cea37bff582

APIs

EnterCriticalSection.KERNEL32(0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 004874B5
closesocket.WSOCK32(00000000,FpH,?,?,?,?,0049C3A8,00000000,00487671,?,?,00000000,?,00000000,00000000,00000000), ref: 0048761C
LeaveCriticalSection.KERNEL32(0049C3A8,00487656,00487671,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00487016), ref: 00487649

Strings

FpH, xrefs: 004875BE, 004875C1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00448CDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128 Total matches: 12

Similarity

Total matches: 12
API ID: ImageList_Draw$ImageList_GetImageCount
String ID: 6B
API String ID: 3589308897-1343726390
Opcode ID: 2690fd2ca55b1b65e67941613c6303a21faec12a0278fdf56c2d44981dc0a60c
Instruction ID: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35
Opcode Fuzzy Hash: D8017B814A5DA09FF93335842AE32BB204AE757E4ACCC3FF13684275C78420722BB613
Instruction Fuzzy Hash: bb1a6af48a08526224ce615e4789a1aefef0bbae6c761038034d4d1812f59c35

APIs

ImageList_GetImageCount.COMCTL32(?,?,?,00000000,00448E75), ref: 00448D9D

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00448E75), ref: 00448DDF
ImageList_Draw.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00448E0E

Part of subcall function 004488AC: ImageList_Add.COMCTL32(?,00000000,00000000,00000000,0044893E,?,00000000,0044895B), ref: 00448920

Strings

6B, xrefs: 00448D1F, 00448D58

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00486094, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112 Total matches: 15window

Similarity

Total matches: 15
API ID: DispatchMessagePeekMessageTranslateMessage
String ID: @^H
API String ID: 185851025-3554995626
Opcode ID: 2132e19746abd73b79cebe2d4e6b891fdd392e5cfbbdda1538f9754c05474f80
Instruction ID: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207
Opcode Fuzzy Hash: FF019C4102C7C1D9EE46E4FD3030BC3A454A74A7A6D89A7A03EFD1116A5F8A7116BF2B
Instruction Fuzzy Hash: eb76ea1802a2b415b8915c5eabc8b18207f4e99a378ecd2f436d0820f5175207

APIs

Part of subcall function 00485EAC: shutdown.WSOCK32(00000000,00000002), ref: 00485F0E
Part of subcall function 00485EAC: closesocket.WSOCK32(00000000,00000000,00000002), ref: 00485F19

Part of subcall function 00485F40: socket.WSOCK32(00000002,00000001,00000000,00000000,00486072), ref: 00485F69
Part of subcall function 00485F40: ntohs.WSOCK32(00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485F8F
Part of subcall function 00485F40: inet_addr.WSOCK32(015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FA0
Part of subcall function 00485F40: gethostbyname.WSOCK32(015EAA88,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FB5
Part of subcall function 00485F40: connect.WSOCK32(00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FD8
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000,00000000,00486072), ref: 00485FEF
Part of subcall function 00485F40: recv.WSOCK32(00000000,0049A3A0,00001FFF,00000000,00000000,0049A3A0,00001FFF,00000000,00000000,00000002,00000010,015EAA88,00000774,00000002,00000001,00000000), ref: 0048603F

Part of subcall function 00466AFC: waveInOpen.WINMM(00000094,00000000,?,?,00000000,00010004), ref: 00466B36
Part of subcall function 00466AFC: waveInStart.WINMM(?), ref: 00466B5B

TranslateMessage.USER32(?), ref: 004861CA
DispatchMessageA.USER32(?), ref: 004861D0
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004861DE

Strings

@^H, xrefs: 004860BE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00473448, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68 Total matches: 15network

Similarity

Total matches: 15
API ID: InternetConnectInternetOpen
String ID: 84G$DCSC
API String ID: 2368555255-1372800958
Opcode ID: 53ce43b2210f5c6ad3b551091bc6b8bee07640da22ed1286f4ed4d69da6ab12a
Instruction ID: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113
Opcode Fuzzy Hash: 1AF0558C09DC81CBED14B5C83C827C7281AB357949E003B91161A372C3DF0A6174FA4F
Instruction Fuzzy Hash: e0797c740093838c5f4dac2a7ddd4939bcbe40ebc838de26f806c335dc33f113

APIs

InternetOpenA.WININET(DCSC,00000000,00000000,00000000,00000000), ref: 00473493
InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 004734D9

Strings

DCSC, xrefs: 0047348E
84G, xrefs: 00473468, 0047350F, 004734AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00474E20, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51 Total matches: 17synchronizationthreadinjection

Similarity

Total matches: 17
API ID: CreateRemoteThreadReadProcessMemoryWaitForSingleObject
String ID: DCPERSFWBP
API String ID: 972516186-2425095734
Opcode ID: c4bd10bfc42c7bc3ca456a767018bd77f736aecaa9343146970cff40bb4593b6
Instruction ID: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5
Opcode Fuzzy Hash: 63D0A70B97094A56102D348D54027154341A601775EC177E38E36873F719C17051F85E
Instruction Fuzzy Hash: 075115d4d80338f80b59a5c3f9ea77aa0f3a1cab00edb24ce612801bf173fcc5

APIs

Part of subcall function 00474DF0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D,DCPERSFWBP,?,?), ref: 00474E06
Part of subcall function 00474DF0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,00475328,?,?,00474E3D), ref: 00474E12

CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00474E5E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00474E6E
ReadProcessMemory.KERNEL32(?,00000000,?,?,?,DCPERSFWBP,?,?), ref: 00474E81

Strings

DCPERSFWBP, xrefs: 00474E28

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00431584, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43 Total matches: 12clipboard

Similarity

Total matches: 12
API ID: GetClipboardDataGlobalLockGlobalUnlock
String ID: 3 H
API String ID: 1112492702-888106971
Opcode ID: 013a2f41e22a5f88135e53f1f30c1b54f125933eea5d15d528f5d163d4797a42
Instruction ID: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536
Opcode Fuzzy Hash: 53D0A7C3025DE267E991578C0053A92A6C0D8416087C063B0830C2E927031E50AB7063
Instruction Fuzzy Hash: db876d1a574ac817b8a3991f0ba770b49a36090bd3b886d1e57eba999d76a536

APIs

GetClipboardData.USER32(00000001), ref: 0043159A
GlobalLock.KERNEL32(00000000,00000000,004315F6), ref: 004315BA
GlobalUnlock.KERNEL32(00000000,004315FD), ref: 004315E8

Strings

3 H, xrefs: 00431590, 004315ED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004629C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91 Total matches: 35com

Similarity

Total matches: 35
API ID: CoCreateInstance
String ID: <*I$L*I
API String ID: 206711758-935359969
Opcode ID: 926ebed84de1c4f5a0cff4f8c2e2da7e6b2741b3f47b898da21fef629141a3d9
Instruction ID: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b
Opcode Fuzzy Hash: 79F02EA00A6B5057F502728428413DB0157E74BF09F48EB715253335860F29E22A6903
Instruction Fuzzy Hash: fa8d7291222113e0245fa84df17397d490cbd8a09a55d837a8cb9fde22732a4b

APIs

CoCreateInstance.OLE32(00492A3C,00000000,00000001,0049299C,00000000), ref: 00462A3F

Strings

<*I, xrefs: 00462A39
L*I, xrefs: 00462A60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004658F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91 Total matches: 91memory

Similarity

Total matches: 91
API ID: VirtualFreeVirtualProtect
String ID: FinalizeSections: VirtualProtect failed
API String ID: 636303360-3584865983
Opcode ID: eacfc3cf263d000af2bbea4d1e95e0ccf08e91c00f24ffdf9b55ce997f25413f
Instruction ID: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df
Opcode Fuzzy Hash: 8CF0A7A2164FC596D9E4360D5003B96A44B6BC1369D4857412FFF106F35E46A06B7D4C
Instruction Fuzzy Hash: a25c5a888a9fda5817e5b780509016ca40cf7ffd1ade20052d4c48f0177e32df

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00465939
VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004659A5

Strings

FinalizeSections: VirtualProtect failed, xrefs: 004659B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004889F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72 Total matches: 20

Similarity

Total matches: 20
API ID: GetMonitorInfo
String ID: H$MONSIZE
API String ID: 2399315694-578782711
Opcode ID: fcbd22419a9fe211802b34775feeb9b9cd5c1eab3f2b681a58b96c928ed20dcd
Instruction ID: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec
Opcode Fuzzy Hash: A0F0E957075E9D5BE7326D883C177C042D82342C5AE8EB75741B9329B20D59511DF3C9
Instruction Fuzzy Hash: 58dff39716ab95f400833e95f8353658d64ab2bf0589c4ada55bb24297febcec

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 00488A28

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

Strings

H, xrefs: 00488A19
MONSIZE, xrefs: 00488A65

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00422188, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42 Total matches: 16registry

Similarity

Total matches: 16
API ID: RegSetValueEx
String ID: NoControlPanel$tdA
API String ID: 3711155140-1355984343
Opcode ID: 5e8bf8497a5466fff8bc5eb4e146d5dc6a0602752481f5dd4d5504146fb4de3d
Instruction ID: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e
Opcode Fuzzy Hash: E2D0A75C074881C524D914CC3111E01228593157AA49C3F52875D627F70E00E038DD1E
Instruction Fuzzy Hash: cdf02c1bfc0658aace9b7e9a135c824c3cff313d703079df6a374eed0d2e646e

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,004724E0,00000000,004724E0), ref: 004221BA

Strings

NoControlPanel, xrefs: 00422188
tdA, xrefs: 004221D0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 92jfaENDBG.tmp Analysis ID: 46535

General

Root Process Name:	regdrv.exe
Process MD5:	B0DC55919303896D21E61FB59FE2B92F
Total matches:	117
Initial Analysis Report:	Open
Initial sample Analysis ID:	46535
Initial sample SHA 256:	A4FB289B0FAB6532C63A44D0CDBA27DBE80F9120963039A8A5BBE961D2686FB3
Initial sample name:	92jfaENDBG.exe

Similar Executed Functions

Function 004458CC, Relevance: 19.9, APIs: 13, Instructions: 386 Total matches: 159window

Similarity

Total matches: 159
API ID: SetFocus$GetFocusIsWindowEnabledPostMessage$GetLastActivePopupIsWindowVisibleSendMessage
String ID:
API String ID: 914620548-0
Opcode ID: 7a550bb8e8bdfffe0a3d884064dd1348bcd58c670023c5df15e5d4cbc78359b7
Instruction ID: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd
Opcode Fuzzy Hash: 79518B4165DF6212E8BB908076A3BE6604BF7C6B9ECC8DF3411D53649B3F44620EE306
Instruction Fuzzy Hash: ae7cdb1027d949e36366800a998b34cbf022b374fa511ef6be9943eb0d4292bd

APIs

Part of subcall function 00445780: SetThreadLocale.KERNEL32(00000400,?,?,?,0044593F,00000000,00445F57), ref: 004457A3

Part of subcall function 00445F90: SetActiveWindow.USER32(?), ref: 00445FB5
Part of subcall function 00445F90: IsWindowEnabled.USER32(00000000), ref: 00445FE1
Part of subcall function 00445F90: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040), ref: 0044602B
Part of subcall function 00445F90: DefWindowProcA.USER32(?,00000112,0000F020,00000000), ref: 00446040

Part of subcall function 00446070: SetActiveWindow.USER32(?), ref: 0044608F
Part of subcall function 00446070: ShowWindow.USER32(00000000,00000009), ref: 004460B4
Part of subcall function 00446070: IsWindowEnabled.USER32(00000000), ref: 004460D3
Part of subcall function 00446070: DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC
Part of subcall function 00446070: SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
Part of subcall function 00446070: SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 00445F74: LoadIconA.USER32(00000000,00007F00), ref: 00445F8A

PostMessageA.USER32(?,0000B001,00000000,00000000), ref: 00445BCD

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

PostMessageA.USER32(?,0000B000,00000000,00000000), ref: 00445BAB
SendMessageA.USER32(?,?,?,?), ref: 00445C73

Part of subcall function 00405388: FreeLibrary.KERNEL32(00400000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405410
Part of subcall function 00405388: ExitProcess.KERNEL32(00000000,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405448

Part of subcall function 0044641C: IsWindowEnabled.USER32(00000000), ref: 00446458

IsWindowEnabled.USER32(00000000), ref: 00445D18
IsWindowVisible.USER32(00000000), ref: 00445D2D
GetFocus.USER32 ref: 00445D41
SetFocus.USER32(00000000), ref: 00445D50
SetFocus.USER32(00000000), ref: 00445D6F
IsWindowEnabled.USER32(00000000), ref: 00445DD0
SetFocus.USER32(00000000), ref: 00445DF2
GetLastActivePopup.USER32(?), ref: 00445E0A

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

GetFocus.USER32 ref: 00445E4F

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetFocus.USER32(00000000), ref: 00445E70

Part of subcall function 00446A88: PostMessageA.USER32(?,0000B01F,00000000,00000000), ref: 00446BA1

Part of subcall function 004466B8: SendMessageA.USER32(?,0000B020,00000001,?), ref: 004466DC

Part of subcall function 0044665C: SendMessageA.USER32(?,0000B020,00000000,?), ref: 0044667E

Part of subcall function 0045D684: SystemParametersInfoA.USER32(00000068,00000000,015E3408,00000000), ref: 0045D6C8
Part of subcall function 0045D684: SendMessageA.USER32(?,?,00000000,00000000), ref: 0045D6DB

Part of subcall function 00445844: DefWindowProcA.USER32(?,?,?,?), ref: 0044586E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428418, Relevance: 4.6, APIs: 3, Instructions: 51 Total matches: 804fileclipboard

Similarity

Total matches: 804
API ID: CopyEnhMetaFileGetClipboardDataGetEnhMetaFileHeader
String ID:
API String ID: 3637528194-0
Opcode ID: cf07a757480d2ce5d096a9326dc18de80b49a66677c52fe9c372584e3e65ad5a
Instruction ID: 5f0a7913bcd66d343327936f43ba3591bee84e554d41b59289a5ac97c4a989bd
Opcode Fuzzy Hash: 5ED02BC2634CD551A4564A518DC38443704010D9799C4EBA4E3BA602E39D04B208BFAE
Instruction Fuzzy Hash: 5f0a7913bcd66d343327936f43ba3591bee84e554d41b59289a5ac97c4a989bd

APIs

GetClipboardData.USER32(0000000E), ref: 00428425
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00428447
GetEnhMetaFileHeader.GDI32(?,00000064,?), ref: 00428459

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00442280, Relevance: 18.5, APIs: 12, Instructions: 471 Total matches: 76window

Similarity

Total matches: 76
API ID: ShowWindow$SendMessageSetWindowPos$CallWindowProcGetActiveWindowSetActiveWindow
String ID:
API String ID: 1078102291-0
Opcode ID: 5a6bc4dc446307c7628f18d730adac2faaaadfe5fec0ff2c8aaad915570e293a
Instruction ID: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5
Opcode Fuzzy Hash: AA512601698E2453F8A360442A87BAB6077F74EB54CC4AB744BCF530AB3A51D837E74B
Instruction Fuzzy Hash: d2d7a330045c082ee8847ac264425c59ea8f05af409e416109ccbd6a8a647aa5

APIs

Part of subcall function 004471C4: IsChild.USER32(00000000,00000000), ref: 00447222

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004426BE
ShowWindow.USER32(00000000,00000003), ref: 004426CE
ShowWindow.USER32(00000000,00000002), ref: 004426F0
CallWindowProcA.USER32(00407FF8,00000000,00000005,00000000,?), ref: 00442719
SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0044273E
ShowWindow.USER32(00000000,?), ref: 00442763
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004427FF
GetActiveWindow.USER32 ref: 00442815
ShowWindow.USER32(00000000,00000000), ref: 00442872

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

Part of subcall function 0043BA80: GetCurrentThreadId.KERNEL32(Function_0003BA1C,00000000,0044283C,00000000,004428BF), ref: 0043BA9A
Part of subcall function 0043BA80: EnumThreadWindows.USER32(00000000,Function_0003BA1C,00000000), ref: 0043BAA0

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0044285A
SetActiveWindow.USER32(00000000), ref: 00442860
ShowWindow.USER32(00000000,00000001), ref: 004428A2

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F2B8, Relevance: 15.1, APIs: 10, Instructions: 133 Total matches: 142window

Similarity

Total matches: 142
API ID: GetWindowLongSendMessageSetWindowLong$GetClassLongGetSystemMenuSetClassLongSetWindowPos
String ID:
API String ID: 864553395-0
Opcode ID: 9ab73d602731c043e05f06fe9a833ffc60d2bf7da5b0a21ed43778f35c9aa1f5
Instruction ID: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34
Opcode Fuzzy Hash: B101DBAA1A176361E0912DCCCAC3B2ED50DB743248EB0DBD922E11540E7F4590A7FE2D
Instruction Fuzzy Hash: 86e40c6f39a8dd384175e0123e2dc7e82ae64037638b8220b5ac0861a23d6a34

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0043F329
GetWindowLongA.USER32(00000000,000000EC), ref: 0043F33B
GetClassLongA.USER32(00000000,000000E6), ref: 0043F34E
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 0043F38E
SetWindowLongA.USER32(00000000,000000EC,?), ref: 0043F3A2
SetClassLongA.USER32(00000000,000000E6,?), ref: 0043F3B6
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F3F0
SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 0043F408
GetSystemMenu.USER32(00000000,000000FF), ref: 0043F417
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043F440

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00454934, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134 Total matches: 1764registry

Similarity

Total matches: 1764
API ID: GetWindowLong$GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID: @
API String ID: 2433521760-2766056989
Opcode ID: bb057d11bcffa2997f58ae607b8aec9f6d517787b85221cca69b6bc40098651c
Instruction ID: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516
Opcode Fuzzy Hash: 5A119C80560CD237E7D669A4B48378513749F97B7CDD0536B63F6242DA4E00402DF96E
Instruction Fuzzy Hash: 4013627ed433dbc6b152acdb164a0da3d29e3622e0b68fd627badcaca3a3b516

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetClassInfoA.USER32(?,?,?), ref: 004549F8
UnregisterClassA.USER32(?,?), ref: 00454A20
RegisterClassA.USER32(?), ref: 00454A36
GetWindowLongA.USER32(00000000,000000F0), ref: 00454A72
GetWindowLongA.USER32(00000000,000000F4), ref: 00454A87
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00454A9A

Part of subcall function 00458910: IsIconic.USER32(?), ref: 0045891F
Part of subcall function 00458910: GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
Part of subcall function 00458910: GetWindowRect.USER32(?), ref: 00458955
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F0), ref: 00458963
Part of subcall function 00458910: GetWindowLongA.USER32(?,000000F8), ref: 00458978
Part of subcall function 00458910: ScreenToClient.USER32(00000000), ref: 00458985
Part of subcall function 00458910: ScreenToClient.USER32(00000000,?), ref: 00458990

Part of subcall function 0042473C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
Part of subcall function 0042473C: CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0040F26C: GetLastError.KERNEL32(0040F31C,?,0041BBC3,?), ref: 0040F26C

Strings

@, xrefs: 0045496D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446834, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138 Total matches: 241window

Similarity

Total matches: 241
API ID: SetWindowPos$GetWindowRectMessageBoxSetActiveWindow
String ID: (
API String ID: 3733400490-3887548279
Opcode ID: 057cc1c80f110adb1076bc5495aef73694a74091f1d008cb79dd59c6bbc78491
Instruction ID: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e
Opcode Fuzzy Hash: 88014C110E8D5483B57334902893FAB110AFB8B789C4CF7F65ED25314A4B45612FA657
Instruction Fuzzy Hash: b10abcdf8b99517cb61353ac0e0d7546e107988409174f4fad3563684715349e

APIs

Part of subcall function 00447BE4: GetActiveWindow.USER32 ref: 00447C0B
Part of subcall function 00447BE4: GetLastActivePopup.USER32(?), ref: 00447C1D

GetWindowRect.USER32(?,?), ref: 004468B6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004468EE

Part of subcall function 0043B920: GetCurrentThreadId.KERNEL32(0043B8D0,00000000,00000000,0043B993,?,00000000,0043B9D1), ref: 0043B976
Part of subcall function 0043B920: EnumThreadWindows.USER32(00000000,0043B8D0,00000000), ref: 0043B97C

MessageBoxA.USER32(00000000,?,?,?), ref: 0044692D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0044697D

Part of subcall function 0043B9E4: IsWindow.USER32(?), ref: 0043B9F2
Part of subcall function 0043B9E4: EnableWindow.USER32(?,000000FF), ref: 0043BA01

SetActiveWindow.USER32(00000000), ref: 0044698E

Strings

(, xrefs: 00446893

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446070, Relevance: 9.1, APIs: 6, Instructions: 99 Total matches: 165window

Similarity

Total matches: 165
API ID: DefWindowProcIsWindowEnabledSetActiveWindowSetFocusSetWindowPosShowWindow
String ID:
API String ID: 81093956-0
Opcode ID: 91e5e05e051b3e2f023c100c42454c78ad979d8871dc5c9cc7008693af0beda7
Instruction ID: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27
Opcode Fuzzy Hash: C2F0DD0025452320F892A8044167FBA60622B5F75ACDCD3282197002AEEFE7507ABF14
Instruction Fuzzy Hash: aa6e88dcafe1d9e979c662542ea857fd259aca5c8034ba7b6c524572af4b0f27

APIs

Part of subcall function 0043B75C: IsIconic.USER32(?), ref: 0043B773

SetActiveWindow.USER32(?), ref: 0044608F
ShowWindow.USER32(00000000,00000009), ref: 004460B4
IsWindowEnabled.USER32(00000000), ref: 004460D3
DefWindowProcA.USER32(?,00000112,0000F120,00000000), ref: 004460EC

Part of subcall function 00444C44: ShowWindow.USER32(?,00000006), ref: 00444C5F

SetWindowPos.USER32(?,00000000,00000000,?,?,00445ABE,00000000), ref: 00446132
SetFocus.USER32(00000000), ref: 00446180

Part of subcall function 0043FDB4: ShowWindow.USER32(00000000,?), ref: 0043FDEA

Part of subcall function 00445490: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000213), ref: 004454DE

Part of subcall function 004455EC: EnumWindows.USER32(00445518,00000000), ref: 00445620
Part of subcall function 004455EC: ShowWindow.USER32(?,00000000), ref: 00445655
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445684
Part of subcall function 004455EC: ShowWindow.USER32(?,00000005), ref: 004456EA
Part of subcall function 004455EC: ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043F914, Relevance: 7.7, APIs: 5, Instructions: 174 Total matches: 113window

Similarity

Total matches: 113
API ID: SetMenu$GetMenuSetWindowPos
String ID:
API String ID: 2285096500-0
Opcode ID: d0722823978f30f9d251a310f9061108e88e98677dd122370550f2cde24528f3
Instruction ID: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed
Opcode Fuzzy Hash: 5F118B40961E1266F846164C19EAF1171E6BB9D305CC4E72083E630396BE085027E773
Instruction Fuzzy Hash: e705ced47481df034b79e2c10a9e9c5239c9913cd23e0c77b7b1ec0a0db802ed

APIs

Part of subcall function 00407550: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 00407582

GetMenu.USER32(00000000), ref: 0043FA38
SetMenu.USER32(00000000,00000000), ref: 0043FA55
SetMenu.USER32(00000000,00000000), ref: 0043FA8A
SetMenu.USER32(00000000,00000000), ref: 0043FAA6

Part of subcall function 0043F84C: GetMenu.USER32(00000000), ref: 0043F892
Part of subcall function 0043F84C: SendMessageA.USER32(00000000,00000230,00000000,00000000), ref: 0043F8AA
Part of subcall function 0043F84C: DrawMenuBar.USER32(00000000), ref: 0043F8BB

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043FAED

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: Filezilla.exe Analysis ID: 401368

General

Root Process Name:	regdrv.exe
Process MD5:	1B9793452B165AC33B7E01430F3079E0
Total matches:	114
Initial Analysis Report:	Open
Initial sample Analysis ID:	401368
Initial sample SHA 256:	7170E5645CA50B4B3AB4C85EA9C24E132C73AA2A20A39247380DB117543EAA31
Initial sample name:	43PAYMENT TRANSFER INSTRUCTIONS.exe

Similar Executed Functions

Function 00406C2C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184 Total matches: 2899registrystringlibrary

Similarity

Total matches: 2899
API ID: lstrcpyn$LoadLibraryExRegOpenKeyEx$RegQueryValueEx$GetLocaleInfoGetModuleFileNameGetThreadLocaleRegCloseKeylstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 3567661987-2375825460
Opcode ID: a3b1251d448c01bd6f1cc1c42774547fa8a2e6c4aa6bafad0bbf1d0ca6416942
Instruction ID: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607
Opcode Fuzzy Hash: 7311914307969393E8871B6124157D513A5AF01F30E4A7BF275F0206EABE46110CFA06
Instruction Fuzzy Hash: a303aaa8438224c55303324eb01105260f59544aa3820bfcbc018d52edb30607

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,004917C0), ref: 00406C48
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C66
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004917C0), ref: 00406C84
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406CA2

Part of subcall function 00406A68: GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
Part of subcall function 00406A68: GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
Part of subcall function 00406A68: FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
Part of subcall function 00406A68: FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
Part of subcall function 00406A68: lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
Part of subcall function 00406A68: lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406CEB
RegQueryValueExA.ADVAPI32(?,00406E98,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406D31,?,80000001), ref: 00406D09
RegCloseKey.ADVAPI32(?,00406D38,00000000,?,?,00000000,00406D31,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406D2B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406D38, Relevance: 15.1, APIs: 10, Instructions: 98 Total matches: 2843stringlibrarythread

Similarity

Total matches: 2843
API ID: lstrcpyn$LoadLibraryEx$GetLocaleInfoGetThreadLocalelstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 2476548892-2375825460
Opcode ID: 37afa4b59127376f4a6833a35b99071d0dffa887068a3353cca0b5e1e5cd2bc3
Instruction ID: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b
Opcode Fuzzy Hash: 4CF0C883479793A7E04B1B422916AC853A4AF00F30F577BE1B970147FE7D1B240CA519
Instruction Fuzzy Hash: 0c520f96d45b86b238466289d2a994e593252e78d5c30d2048b7af96496f657b

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406D48
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406D55
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406D5B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406D86
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406DCD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406DDD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406E05
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406E15
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406E3B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 00406E4B

Strings

Software\Borland\Locales, xrefs: 00406C5C, 00406C7A
Software\Borland\Delphi\Locales, xrefs: 00406C98

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00421140, Relevance: 6.1, APIs: 4, Instructions: 59 Total matches: 2877registry

Similarity

Total matches: 2877
API ID: GetClassInfoRegisterClassSetWindowLongUnregisterClass
String ID:
API String ID: 1046148194-0
Opcode ID: c2411987b4f71cfd8dbf515c505d6b009a951c89100e7b51cc1a9ad4868d85a2
Instruction ID: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6
Opcode Fuzzy Hash: 17E026123D08D3D6E68B3107302B30D00AC1B2F524D94E725428030310CB24B034D942
Instruction Fuzzy Hash: ad09bb2cd35af243c34bf0a983bbfa5e937b059beb8f7eacfcf21e0321a204f6

APIs

GetClassInfoA.USER32(00400000,00421130,?), ref: 00421161
UnregisterClassA.USER32(00421130,00400000), ref: 0042118A
RegisterClassA.USER32(00491B50), ref: 00421194

Part of subcall function 0040857C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004085BB

Part of subcall function 00421084: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004210A2

SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004211DF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00406A68, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139 Total matches: 2934stringlibraryfile

Similarity

Total matches: 2934
API ID: lstrcpyn$lstrlen$FindCloseFindFirstFileGetModuleHandleGetProcAddress
String ID: GetLongPathNameA$\$[FILE]
API String ID: 3661757112-3025972186
Opcode ID: 09af6d4fb3ce890a591f7b23fb756db22e1cbc03564fc0e4437be3767da6793e
Instruction ID: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d
Opcode Fuzzy Hash: 5A0148030E08E387E1775B017586F4A12A1EF41C38E98A36025F15BAC94E00300CF12F
Instruction Fuzzy Hash: b14d932b19fc4064518abdddbac2846d3fd2a245794c3c1ecc53a3c556f9407d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,004917C0), ref: 00406A85
GetProcAddress.KERNEL32(?,GetLongPathNameA,kernel32.dll,?,00400000,004917C0), ref: 00406A9C
lstrcpynA.KERNEL32(?,?,?,?,00400000,004917C0), ref: 00406ACC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B30

Part of subcall function 00406A48: CharNextA.USER32(?), ref: 00406A4F

lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B66
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B79
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B8B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,004917C0), ref: 00406B97
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406BCB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406BD7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406BF9

Strings

GetLongPathNameA, xrefs: 00406A93
\, xrefs: 00406BA9
kernel32.dll, xrefs: 00406A80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004085D4, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61 Total matches: 268windowregistry

Similarity

Total matches: 268
API ID: RegisterWindowMessage$SendMessage$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 773075572-3736581797
Opcode ID: b8d29d158da692a3f30c7c46c0fd30bc084ed528be5294db655e4684b6c0c80f
Instruction ID: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653
Opcode Fuzzy Hash: E3E086048EC5E4C040877D156905746525A5B47E33E88971245FC69EEBDF12706CF60B
Instruction Fuzzy Hash: 4e75a9db2a85290b2bd165713cc3b8ab264a87c6022b985514cebb886d0c2653

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004085EC
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 004085F8
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408607
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG,MouseZ,Magellan MSWHEEL), ref: 00408613
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040862B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040864F

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040860E
MSH_WHEELSUPPORT_MSG, xrefs: 00408602
MouseZ, xrefs: 004085E7
Magellan MSWHEEL, xrefs: 004085E2
MSWHEEL_ROLLMSG, xrefs: 004085F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482320, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTUDP Flood|UDP Flood task finished!|
API String ID: 2170526433-696998096
Opcode ID: 89b2bcb3a41e7f4c01433908cc75e320bbcd6b665df0f15f136d145bd92b223a
Instruction ID: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628
Opcode Fuzzy Hash: F0F02B696BCAA1DFE8075C446C42B9B2054DBC740EDCBA7B2261B235819A4A34073F13
Instruction Fuzzy Hash: ba785c08286949be7b8d16e5cc6bc2a647116c61844ba5f345475ef84eb05628

APIs

Sleep.KERNEL32(00000064,?,00000000,00482455), ref: 004823D3
CreateThread.KERNEL32(00000000,00000000,Function_000821A0,00000000,00000000,?), ref: 004823E8

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000821A0,00000000,00000000,?,00000064,?,00000000,00482455), ref: 0048242B

Strings

@, xrefs: 004823BE
BTRESULTUDP Flood|UDP Flood task finished!|, xrefs: 00482417

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004827C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTSyn Flood|Syn task finished!|
API String ID: 2170526433-491318438
Opcode ID: 44470ceb4039b0deeebf49dfd608d8deeadfb9ebb9d7d747ae665e3d160d324e
Instruction ID: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33
Opcode Fuzzy Hash: 17F02B24A7D9B5DFEC075D402D42BDB6254EBC784EDCAA7B29257234819E1A30037713
Instruction Fuzzy Hash: 0c48cfc9b202c7a9406c9b87cea66b669ffe7f04b2bdabee49179f6eebcccd33

APIs

Sleep.KERNEL32(00000064,?,00000000,004828F9), ref: 00482877
CreateThread.KERNEL32(00000000,00000000,Function_00082630,00000000,00000000,?), ref: 0048288C

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_00082630,00000000,00000000,?,00000064,?,00000000,004828F9), ref: 004828CF

Strings

BTRESULTSyn Flood|Syn task finished!|, xrefs: 004828BB
@, xrefs: 00482862

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00483858, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85 Total matches: 19threadsleep

Similarity

Total matches: 19
API ID: CreateThreadExitThreadSleep
String ID: @$BTRESULTHTTP Flood|Http Flood task finished!|
API String ID: 2170526433-4253556105
Opcode ID: ce1973b24f73c03e98cc87b7d8b3c5c1d23a0e8b985775cb0889d2fdef58f970
Instruction ID: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495
Opcode Fuzzy Hash: 5DF0F61467DBA0AFEC476D403852FDB6254DBC344EDCAA7B2961B234919A0B50072752
Instruction Fuzzy Hash: 21c0fad9eccbf28bfd57fbbbc49df069a42e3d2ebba60de991032031fecca495

APIs

Sleep.KERNEL32(00000064,?,00000000,0048398D), ref: 0048390B
CreateThread.KERNEL32(00000000,00000000,Function_000836D8,00000000,00000000,?), ref: 00483920

Part of subcall function 0048CE74: GetUserNameA.ADVAPI32(?), ref: 0048CE8A

Part of subcall function 00475E2C: send.WSOCK32(00000248,00000000,?,00000000,00000000,00475EBD), ref: 00475E9D

ExitThread.KERNEL32(00000000,00000000,00000000,Function_000836D8,00000000,00000000,?,00000064,?,00000000,0048398D), ref: 00483963

Strings

@, xrefs: 004838F6
BTRESULTHTTP Flood|Http Flood task finished!|, xrefs: 0048394F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E724, Relevance: 6.2, APIs: 4, Instructions: 198 Total matches: 19

Similarity

Total matches: 19
API ID: NetApiBufferFree$NetShareEnumNetShareGetInfo
String ID:
API String ID: 1922012051-0
Opcode ID: 7e64b2910944434402afba410b58d9b92ec59018d54871fdfc00dd5faf96720b
Instruction ID: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f
Opcode Fuzzy Hash: 522148C606BDA0ABF6A3B4C4B447FC182D07B0B96DE486B2290BABD5C20D9521079263
Instruction Fuzzy Hash: 14ccafa2cf6417a1fbed620c270814ec7f2ac7381c92f106b89344cab9500d3f

APIs

Part of subcall function 004032F8: GetCommandLineA.KERNEL32(00000000,00403349,?,?,?,00000000), ref: 0040330F

Part of subcall function 00403358: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040337C
Part of subcall function 00403358: GetCommandLineA.KERNEL32(?,?,?,0046E763,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0040338E

NetShareEnum.NETAPI32(?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E79C
NetShareGetInfo.NETAPI32(?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000,0046E984), ref: 0046E7D5
NetApiBufferFree.NETAPI32(?,?,?,000001F6,?,00000000,0046E945,?,?,00000000,?,000000FF,?,?,?,00000000), ref: 0046E936
NetApiBufferFree.NETAPI32(?,?,00000000,?,000000FF,?,?,?,00000000,0046E984,?,?,?,?,00000000,00000000), ref: 0046E964

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D8AA, Relevance: 6.1, APIs: 4, Instructions: 101 Total matches: 2563

Similarity

Total matches: 2563
API ID: GetModuleFileName$LoadStringVirtualQuery
String ID:
API String ID: 2941097594-0
Opcode ID: 9f707685a8ca2ccbfc71ad53c7f9b5a8f910bda01de382648e3a286d4dcbad8b
Instruction ID: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3
Opcode Fuzzy Hash: 4C014C024365E386F4234B112882F5492E0DB65DB1E8C6751EFB9503F65F40115EF72D
Instruction Fuzzy Hash: 9b6f9daabaaed01363acd1bc6df000eeaee8c5b1ee04e659690c8b100997f9f3

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040D8C9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040D8ED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040D908
LoadStringA.USER32(00000000,0000FFED,?,00000100), ref: 0040D99E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00470B94, Relevance: 6.1, APIs: 4, Instructions: 73 Total matches: 22file

Similarity

Total matches: 22
API ID: DragQueryFile$GlobalLockGlobalUnlock
String ID:
API String ID: 367920443-0
Opcode ID: 498cda1e803d17a6f5118466ea9165dd9226bd8025a920d397bde98fe09ca515
Instruction ID: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734
Opcode Fuzzy Hash: F8F05C830F79E26BD5013A844E0179401A17B03DB8F147BB2D232729DC4E5D409DF60F
Instruction Fuzzy Hash: b8ae27aaf29c7a970dfd4945759f76c89711bef1c6f8db22077be54f479f9734

APIs

Part of subcall function 00431970: GetClipboardData.USER32(00000000), ref: 00431996

GlobalLock.KERNEL32(00000000,00000000,00470C74), ref: 00470BDE
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470BF0
DragQueryFileA.SHELL32(?,00000000,?,00000105,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C10
GlobalUnlock.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000,00470C74), ref: 00470C56

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004314A0, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 21memoryclipboard

Similarity

Total matches: 21
API ID: GlobalAllocGlobalLockGlobalUnlockSetClipboardData
String ID:
API String ID: 3535573752-0
Opcode ID: f0e50475fe096c382d27ee33e947bcf8d55d19edebb1ed8108c2663ee63934e9
Instruction ID: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e
Opcode Fuzzy Hash: D7E0C250025CF01BF9CA69CD3C97E86D2D2DA402649D46FB58258A78B3222E6049E50B
Instruction Fuzzy Hash: 2742e8ac83e55c90e50d408429e67af57535f67fab21309796ee5989aaacba5e

APIs

GlobalAlloc.KERNEL32(00002002,?,00000000,00431572), ref: 004314CF
GlobalLock.KERNEL32(?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 004314E9
SetClipboardData.USER32(?,?), ref: 00431517
GlobalUnlock.KERNEL32(?,0043153A,?,00000000,00431544,?,00002002,?,00000000,00431572), ref: 0043152D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: Filezilla.exe Analysis ID: 39749

General

Root Process Name:	regdrv.exe
Process MD5:	FCE1F1C1BCFD0A5A0C5138D93F919A21
Total matches:	113
Initial Analysis Report:	Open
Initial sample Analysis ID:	39749
Initial sample SHA 256:	CDA1BCBF223CBF292611689EFCBE34943619F24D267118B0DE25F34B15E7F5B0
Initial sample name:	65Transfer Copy.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: filename.exe Analysis ID: 36765

General

Root Process Name:	regdrv.exe
Process MD5:	2691D4452E303259FE5D1444FE7036BB
Total matches:	112
Initial Analysis Report:	Open
Initial sample Analysis ID:	36765
Initial sample SHA 256:	AF73D7203634778BEAF4945F0B89ADC0C8619A0F7A200D87FE625AD8DAE1D399
Initial sample name:	51transfer copy.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 1transfer slip.exe Analysis ID: 42767

General

Root Process Name:	regdrv.exe
Process MD5:	E919BD0AECE34CD73FBF198F87531C53
Total matches:	112
Initial Analysis Report:	Open
Initial sample Analysis ID:	42767
Initial sample SHA 256:	9AD3883F2E411530BEE629DA1585A2E15854F0C777F610563A29F25C7EC029EE
Initial sample name:	1transfer slip.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: filename.exe Analysis ID: 36662

General

Root Process Name:	regdrv.exe
Process MD5:	A70C54007E0A0936339D0641198A6FF5
Total matches:	112
Initial Analysis Report:	Open
Initial sample Analysis ID:	36662
Initial sample SHA 256:	CB5AF2A065152DA30C0F262FB7735C07EBB100E79549E347081DB719748E58A9
Initial sample name:	31transfer copy.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471640, Relevance: 4.6, APIs: 3, Instructions: 140 Total matches: 47service

Similarity

Total matches: 47
API ID: CloseServiceHandleEnumServicesStatusOpenSCManager
String ID:
API String ID: 233299287-0
Opcode ID: 185c547a2e6a35dbb7ea54b3dd23c7efef250d35a63269c87f9c499be03b9b38
Instruction ID: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d
Opcode Fuzzy Hash: D3112647077BC223FB612D841803F8279D84B1AA24F8C4B458BB5BC6F61E490105F69D
Instruction Fuzzy Hash: 4325fe5331610a1e4ee3b19dd885bf5302e7ab4f054d8126da991c50fe425a8d

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,00471828), ref: 004716A2
EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 004716DC

Part of subcall function 004714B8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
Part of subcall function 004714B8: OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
Part of subcall function 004714B8: StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
Part of subcall function 004714B8: ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
Part of subcall function 004714B8: QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
Part of subcall function 004714B8: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,00471828), ref: 00471805

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 17WIRE TRANSFER SLIP.exe Analysis ID: 331351

General

Root Process Name:	regdrv.exe
Process MD5:	3BB691A8B6840769716C7FE316E7C01C
Total matches:	111
Initial Analysis Report:	Open
Initial sample Analysis ID:	331351
Initial sample SHA 256:	DC7A68C5ABE8B41850D8C9A66C35034B9938E5106E1E0AD09AE16EC809B08AE8
Initial sample name:	17WIRE TRANSFER SLIP.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004389B4, Relevance: 10.9, APIs: 7, Instructions: 405 Total matches: 2150windowCrypto

Similarity

Total matches: 2150
API ID: RestoreDCSaveDC$DefWindowProcGetSubMenuGetWindowDC
String ID:
API String ID: 4165311318-0
Opcode ID: e3974ea3235f2bde98e421c273a503296059dbd60f3116d5136c6e7e7c4a4110
Instruction ID: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1
Opcode Fuzzy Hash: E351598106AE105BFCB3A49435C3FA31002E75259BCC9F7725F65B69F70A426107FA0E
Instruction Fuzzy Hash: 37498faecac08611daeb58a409bdd2e28f3aff22c71556953c3d6c7203dc42a1

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00438ECA

Part of subcall function 00437AE0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00437B66
Part of subcall function 00437AE0: DrawMenuBar.USER32(00000000), ref: 00437B77

GetSubMenu.USER32(?,?), ref: 00438AB0

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 00438C84
RestoreDC.GDI32(?,?), ref: 00438CF8
GetWindowDC.USER32(?), ref: 00438D72
SaveDC.GDI32(?), ref: 00438DA9
RestoreDC.GDI32(?,?), ref: 00438E16

Part of subcall function 00438594: GetMenuItemCount.USER32(?), ref: 004385C0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 004385E0
Part of subcall function 00438594: GetMenuState.USER32(?,00000000,00000400), ref: 00438678

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 17WIRE TRANSFER SLIP.exe Analysis ID: 331351

General

Root Process Name:	regdrv.exe
Process MD5:	3BB691A8B6840769716C7FE316E7C01C
Total matches:	110
Initial Analysis Report:	Open
Initial sample Analysis ID:	331351
Initial sample SHA 256:	DC7A68C5ABE8B41850D8C9A66C35034B9938E5106E1E0AD09AE16EC809B08AE8
Initial sample name:	17WIRE TRANSFER SLIP.exe

Similar Executed Functions

Function 0048AEA8, Relevance: 9.1, APIs: 6, Instructions: 108 Total matches: 122

Similarity

Total matches: 122
API ID: AdjustTokenPrivilegesCloseHandleGetCurrentProcessGetLastErrorLookupPrivilegeValueOpenProcessToken
String ID:
API String ID: 1655903152-0
Opcode ID: c92d68a2c1c5faafb4a28c396f292a277a37f0b40326d7f586547878ef495775
Instruction ID: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150
Opcode Fuzzy Hash: 2CF0468513CAB2E7F879B18C3042FE73458B323244C8437219A903A18E0E59A12CEB13
Instruction Fuzzy Hash: 5a044237aac15a3989e4021d08b96f5326c338692d3d0e66e444868dbe789150

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
CloseHandle.KERNEL32(?), ref: 0048AF8D
GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DDE0, Relevance: 7.6, APIs: 5, Instructions: 54 Total matches: 153

Similarity

Total matches: 153
API ID: FindResourceFreeResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3885362348-0
Opcode ID: ef8b8e58cde3d28224df1e0c57da641ab2d3d01fa82feb3a30011b4f31433ee9
Instruction ID: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8
Opcode Fuzzy Hash: 08D02B420B5FA197F51656482C813D722876B43386EC42BF2D31A3B2E39F058039F60B
Instruction Fuzzy Hash: 9990bafbf40e834a260b48e1f62370990a3e04654371271e90c167a58edff6a8

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0048DE1A
LoadResource.KERNEL32(00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE24
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE2E
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE36
FreeResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0048DE71,?,?,?,015D5070), ref: 0048DE51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048B908, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 138 Total matches: 28

Similarity

Total matches: 28
API ID: GetTokenInformation$CloseHandleGetCurrentProcessOpenProcessToken
String ID: Default$Full$Limited$unknow
API String ID: 3519712506-3005279702
Opcode ID: c9e83fe5ef618880897256b557ce500f1bf5ac68e7136ff2dc4328b35d11ffd0
Instruction ID: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781
Opcode Fuzzy Hash: 94012245479DA6FB6826709C78036E90090EEA3505DC827320F1A3EA430F49906DFE03
Instruction Fuzzy Hash: 0b4c06dab34d27ad9d68d80be0f4d698db9405c4a95def130c1ac261927f5781

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B93E
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B944
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000,0048BA30,?,00000000,00000008,?,00000000,0048BA4E,?,00000000,0048BAB3), ref: 0048B96F
GetTokenInformation.ADVAPI32(?,00000014(TokenIntegrityLevel),?,00000004,?,?,TokenIntegrityLevel,?,00000004,?,00000000,0048BA30,?,00000000,00000008,?), ref: 0048B9DF
CloseHandle.KERNEL32(?), ref: 0048BA2A

Strings

unknow, xrefs: 0048B9B6
Limited, xrefs: 0048B9A7
Default, xrefs: 0048B989
Full, xrefs: 0048B998

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004035C4, Relevance: 15.1, APIs: 10, Instructions: 129 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: d538ecb20819965be69077a828496b76d5af3486dd71f6717b9dc933de35fdbc
Instruction ID: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9
Opcode Fuzzy Hash: DD012BC0B7E89268E42FAB84AA00FD25444979FFC9E70C74433C9615EE6742616CBE09
Instruction Fuzzy Hash: c976212507a0127e09b4f1878ff8970bdbefa7b4a5e526d5fabf74a192684bc9

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040364C
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403670
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040368C
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 004036AD
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 004036D6
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004036E4
GetStdHandle.KERNEL32(000000F5), ref: 0040371F
GetFileType.KERNEL32 ref: 00403735
CloseHandle.KERNEL32 ref: 00403750
GetLastError.KERNEL32(000000F5), ref: 00403768

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040EBCC, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201 Total matches: 3634thread

Similarity

Total matches: 3634
API ID: GetThreadLocale
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 1366207816-2493093252
Opcode ID: 01a36ac411dc2f0c4b9eddfafa1dc6121dabec367388c2cb1b6e664117e908cf
Instruction ID: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a
Opcode Fuzzy Hash: 7E216E09A7888936D262494C3885B9414F75F1A161EC4CBF18BB2757ED6EC60422FBFB
Instruction Fuzzy Hash: d03f869ccb848d3c28b0e9f5c57a02ed4726818649ba9b5e70cc30c7e7abe10a

APIs

Part of subcall function 0040EB08: GetThreadLocale.KERNEL32 ref: 0040EB2A
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000004A), ref: 0040EB7D
Part of subcall function 0040EB08: GetSystemMetrics.USER32(0000002A), ref: 0040EB8C

Part of subcall function 0040D3E8: GetThreadLocale.KERNEL32(00000000,0040D4FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D404

GetThreadLocale.KERNEL32(00000000,0040EE97,?,?,00000000,00000000), ref: 0040EC02

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Part of subcall function 0040D380: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040EC7E,00000000,0040EE97,?,?,00000000,00000000), ref: 0040D393

Part of subcall function 0040D670: GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(?,00000000,0040D657,?,?,00000000), ref: 0040D5D8
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040D657,?,?,00000000), ref: 0040D608
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D50C,00000000,00000000,00000004), ref: 0040D613
Part of subcall function 0040D5C0: GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040D657,?,?,00000000), ref: 0040D631
Part of subcall function 0040D5C0: EnumCalendarInfoA.KERNEL32(Function_0000D548,00000000,00000000,00000003), ref: 0040D63C

Strings

AMPM , xrefs: 0040EE25
mmmm d, yyyy, xrefs: 0040ECFE
m/d/yy, xrefs: 0040ECD1
:mm, xrefs: 0040EE35
:mm:ss, xrefs: 0040EE52
AMPM, xrefs: 0040EE16

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045F5F8, Relevance: 10.6, APIs: 7, Instructions: 117 Total matches: 462file

Similarity

Total matches: 462
API ID: CloseHandle$CreateFileCreateFileMappingGetFileSizeMapViewOfFileUnmapViewOfFile
String ID:
API String ID: 4232242029-0
Opcode ID: 30b260463d44c6b5450ee73c488d4c98762007a87f67d167b52aaf6bd441c3bf
Instruction ID: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f
Opcode Fuzzy Hash: 68F028440BCCF3A7F4B5B64820427A1004AAB46B58D54BFA25495374CB89C9B04DFB53
Instruction Fuzzy Hash: 5c790fdba87d6d3a28b45298bdc34f72c373fcd78425af207109af52e92f4d8f

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,08000080,00000000), ref: 0045F637
CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0045F665
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718,?,?,?,?), ref: 0045F691
GetFileSize.KERNEL32(000000FF,00000000,00000000,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6B3
UnmapViewOfFile.KERNEL32(00000000,0045F6E3,0045F6DC,?,00000000,00000004,00000000,00000000,00000000,00000000,0045F6FA,?,00000000,0045F718), ref: 0045F6D6
CloseHandle.KERNEL32(00000000), ref: 0045F6F4
CloseHandle.KERNEL32(000000FF), ref: 0045F712

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AFE8, Relevance: 10.6, APIs: 7, Instructions: 94 Total matches: 34sleep

Similarity

Total matches: 34
API ID: Sleep$GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID:
API String ID: 2949210484-0
Opcode ID: 1294ace95088db967643d611283e857756515b83d680ef470e886f47612abab4
Instruction ID: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee
Opcode Fuzzy Hash: F9F0F6524B5DE753F65D2A4C9893BE90250DB03424E806B22857877A8A5E195039FA2A
Instruction Fuzzy Hash: 080af5cb768fd98714a9d060fcd45c73de1816ca9ba7ffb4874f351f539571ee

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048B0F3), ref: 0048B016
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048B0F3), ref: 0048B01C
Sleep.KERNEL32(00000001,00000000,00000028,?,00000000,0048B0F3), ref: 0048B027
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B03C
Sleep.KERNEL32(00000001,?,TokenIntegrityLevel,00000000,00000320,?,00000000,00000028,?,00000000,0048B0F3), ref: 0048B047
LookupPrivilegeNameA.ADVAPI32(00000000,00000004,00000000,000000FF), ref: 0048B094
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,?,000000FF,?), ref: 0048B0A8

Part of subcall function 0048AEA8: GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AEFF
Part of subcall function 0048AEA8: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF05
Part of subcall function 0048AEA8: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0048AF2F
Part of subcall function 0048AEA8: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,?,00000000,0048AF93,?,00000000,00000028,?,00000000,0048AFAF,?,00000000), ref: 0048AF77
Part of subcall function 0048AEA8: CloseHandle.KERNEL32(?), ref: 0048AF8D
Part of subcall function 0048AEA8: GetLastError.KERNEL32(00000000,00000028,?,00000000,0048AFAF,?,00000000,0048AFD6,?,00000000,?,00000000), ref: 0048AF9A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B47C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58 Total matches: 283

Similarity

Total matches: 283
API ID: MulDiv
String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
API String ID: 940359406-1011973972
Opcode ID: 9f338f1e3de2c8e95426f3758bdd42744a67dcd51be80453ed6f2017c850a3af
Instruction ID: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a
Opcode Fuzzy Hash: EDE0680017C8F0ABFC32BC8A30A17CD20C9F341270C0063B1065D3D8CAAB4AC018E907
Instruction Fuzzy Hash: 7b9cc0be37a0a53035db32e0e1ee41426a52b9a3cd425deeb52a4e7203a2a64a

APIs

MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0042B4A2

Part of subcall function 004217A0: RegCloseKey.ADVAPI32(10940000,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5,?,00000000,0048B2DD), ref: 004217B4

Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421A81
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00421BB9), ref: 00421AF1
Part of subcall function 00421A08: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00421B5C

Part of subcall function 00421770: RegFlushKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 00421781
Part of subcall function 00421770: RegCloseKey.ADVAPI32(00010000,00421610,004217C7,00421610,00000000,004216E2,000F003F,00000001,00421726,?,?,?,0048B244,00000000,0048B2B5), ref: 0042178A

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0042B4F8
MS Shell Dlg 2, xrefs: 0042B50C
Tahoma, xrefs: 0042B4C4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048CF38, Relevance: 4.5, APIs: 3, Instructions: 43 Total matches: 31

Similarity

Total matches: 31
API ID: GetForegroundWindowGetWindowTextGetWindowTextLength
String ID:
API String ID: 3098183346-0
Opcode ID: 209e0569b9b6198440fd91fa0607dca7769e34364d6ddda49eba559da13bc80b
Instruction ID: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23
Opcode Fuzzy Hash: 06D0A785074B861BA40A96CC64011E692906161142D8077318725BA5C9AD06001FA85B
Instruction Fuzzy Hash: 91d0bfb2ef12b00d399625e8c88d0df52cd9c99a94677dcfff05ce23f9c63a23

APIs

GetForegroundWindow.USER32 ref: 0048CF57
GetWindowTextLengthA.USER32(00000000), ref: 0048CF63
GetWindowTextA.USER32(00000000,00000000,00000001), ref: 0048CF80

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00482028, Relevance: 4.5, APIs: 3, Instructions: 19 Total matches: 124window

Similarity

Total matches: 124
API ID: DispatchMessageGetMessageTranslateMessage
String ID:
API String ID: 238847732-0
Opcode ID: 2bc29e822e5a19ca43f9056ef731e5d255ca23f22894fa6ffe39914f176e67d0
Instruction ID: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be
Opcode Fuzzy Hash: A9B0120F8141E01F254D19651413380B5D379C3120E515B604E2340284D19031C97C49
Instruction Fuzzy Hash: 3635f244085e73605198e4edd337f824154064b4cabe78c039b45d2f1f3269be

APIs

Part of subcall function 00481ED8: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00482007,?,?,00000003,00000000,00000000,?,00482033), ref: 00481EFB
Part of subcall function 00481ED8: SetWindowsHookExA.USER32(0000000D,004818F8,00000000,00000000), ref: 00481F09

TranslateMessage.USER32 ref: 00482036
DispatchMessageA.USER32 ref: 0048203C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00482048

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Similar Non-Executed Functions

Function 0048B42C, Relevance: 70.2, APIs: 32, Strings: 8, Instructions: 219 Total matches: 29keyboard

Similarity

Total matches: 29
API ID: keybd_event
String ID: CTRLA$CTRLC$CTRLF$CTRLP$CTRLV$CTRLX$CTRLY$CTRLZ
API String ID: 2665452162-853614746
Opcode ID: 4def22f753c7f563c1d721fcc218f3f6eb664e5370ee48361dbc989d32d74133
Instruction ID: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099
Opcode Fuzzy Hash: 532196951B0CA2B978DA64817C0E195F00B969B34DEDC13128990DAF788EF08DE03F35
Instruction Fuzzy Hash: 963b610819eac8b52ef880b5a8b69d76f76adbdeafee6c47af906d1515d6b099

APIs

keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B460
keybd_event.USER32(00000041,00000045,00000001,00000000), ref: 0048B46D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B47A
keybd_event.USER32(00000041,00000045,00000003,00000000), ref: 0048B487
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4A8
keybd_event.USER32(00000056,00000045,00000001,00000000), ref: 0048B4B5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B4C2
keybd_event.USER32(00000056,00000045,00000003,00000000), ref: 0048B4CF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B4F0
keybd_event.USER32(00000043,00000045,00000001,00000000), ref: 0048B4FD
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B50A
keybd_event.USER32(00000043,00000045,00000003,00000000), ref: 0048B517
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B538
keybd_event.USER32(00000058,00000045,00000001,00000000), ref: 0048B545
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B552
keybd_event.USER32(00000058,00000045,00000003,00000000), ref: 0048B55F
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B580
keybd_event.USER32(00000050,00000045,00000001,00000000), ref: 0048B58D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B59A
keybd_event.USER32(00000050,00000045,00000003,00000000), ref: 0048B5A7
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B5C8
keybd_event.USER32(0000005A,00000045,00000001,00000000), ref: 0048B5D5
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B5E2
keybd_event.USER32(0000005A,00000045,00000003,00000000), ref: 0048B5EF
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B610
keybd_event.USER32(00000059,00000045,00000001,00000000), ref: 0048B61D
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B62A
keybd_event.USER32(00000059,00000045,00000003,00000000), ref: 0048B637
keybd_event.USER32(00000011,00000045,00000001,00000000), ref: 0048B655
keybd_event.USER32(00000046,00000045,00000001,00000000), ref: 0048B662
keybd_event.USER32(00000011,00000045,00000003,00000000), ref: 0048B66F
keybd_event.USER32(00000046,00000045,00000003,00000000), ref: 0048B67C

Strings

CTRLP, xrefs: 0048B56C
CTRLC, xrefs: 0048B4DC
CTRLV, xrefs: 0048B494
CTRLY, xrefs: 0048B5FC
CTRLF, xrefs: 0048B641
CTRLZ, xrefs: 0048B5B4
CTRLX, xrefs: 0048B524
CTRLA, xrefs: 0048B44C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460AC0, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99 Total matches: 300libraryloader

Similarity

Total matches: 300
API ID: GetProcAddress$GetModuleHandle
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$[FILE]
API String ID: 1039376941-2682310058
Opcode ID: f09c306a48b0de2dd47c8210d3bd2ba449cfa3644c05cf78ba5a2ace6c780295
Instruction ID: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54
Opcode Fuzzy Hash: 950151BF00AC158CCBB0CE8834EFB5324AB398984C4225F4495C6312393D9FF50A1AAA
Instruction Fuzzy Hash: bcfc9cd07546656776842482fc67dab96c7523a4dc8624f3bf5282ed84c56a54

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AD4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?,?,?), ref: 00460AEC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E,?,?), ref: 00460AFE
GetProcAddress.KERNEL32(00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5,?,?,00000000,0046722E), ref: 00460B10
GetProcAddress.KERNEL32(00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B22
GetProcAddress.KERNEL32(00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000,00000000,00466CF5), ref: 00460B34
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002,00460D47,00000000), ref: 00460B46
GetProcAddress.KERNEL32(00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot,kernel32.dll,00000002), ref: 00460B58
GetProcAddress.KERNEL32(00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst,00000000,CreateToolhelp32Snapshot), ref: 00460B6A
GetProcAddress.KERNEL32(00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext,00000000,Heap32ListFirst), ref: 00460B7C
GetProcAddress.KERNEL32(00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First,00000000,Heap32ListNext), ref: 00460B8E
GetProcAddress.KERNEL32(00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next,00000000,Heap32First), ref: 00460BA0
GetProcAddress.KERNEL32(00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory,00000000,Heap32Next), ref: 00460BB2
GetProcAddress.KERNEL32(00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First,00000000,Toolhelp32ReadProcessMemory), ref: 00460BC4
GetProcAddress.KERNEL32(00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next,00000000,Process32First), ref: 00460BD6
GetProcAddress.KERNEL32(00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW,00000000,Process32Next), ref: 00460BE8
GetProcAddress.KERNEL32(00000000,Module32NextW,00000000,Module32FirstW,00000000,Module32Next,00000000,Module32First,00000000,Thread32Next,00000000,Thread32First,00000000,Process32NextW,00000000,Process32FirstW), ref: 00460BFA

Strings

Toolhelp32ReadProcessMemory, xrefs: 00460B3E
CreateToolhelp32Snapshot, xrefs: 00460AE4
Heap32First, xrefs: 00460B1A
Thread32First, xrefs: 00460B98
Module32First, xrefs: 00460BBC
Process32FirstW, xrefs: 00460B74
Heap32Next, xrefs: 00460B2C
Process32First, xrefs: 00460B50
Module32Next, xrefs: 00460BCE
Module32NextW, xrefs: 00460BF2
Heap32ListFirst, xrefs: 00460AF6
Thread32Next, xrefs: 00460BAA
Module32FirstW, xrefs: 00460BE0
Heap32ListNext, xrefs: 00460B08
Process32NextW, xrefs: 00460B86
kernel32.dll, xrefs: 00460ACF
Process32Next, xrefs: 00460B62

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428B08, Relevance: 48.5, APIs: 32, Instructions: 500 Total matches: 1987window

Similarity

Total matches: 1987
API ID: SelectObject$SelectPalette$CreateCompatibleDCGetDIBitsGetDeviceCapsRealizePaletteSetBkColorSetTextColor$BitBltCreateBitmapCreateCompatibleBitmapCreateDIBSectionDeleteDCFillRectGetDCGetDIBColorTableGetObjectPatBltSetDIBColorTable
String ID:
API String ID: 3042800676-0
Opcode ID: b8b687cee1c9a2d9d2f26bc490dbdcc6ec68fc2f2ec1aa58312beb2e349b1411
Instruction ID: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114
Opcode Fuzzy Hash: E051494D0D8CF5C7B4BF29880993F5211816F83A27D2AB7130975677FB8A05A05BF21D
Instruction Fuzzy Hash: ff68489d249ea03a763d48795c58495ac11dd1cccf96ec934182865f2a9e2114

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
GetDC.USER32(00000000), ref: 00428B99
CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
SelectObject.GDI32(?,?), ref: 00428D7F

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

SelectObject.GDI32(?,00000000), ref: 00428D21
GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

SelectObject.GDI32(?,?), ref: 00428E77
SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
RealizePalette.GDI32(?), ref: 00428EC3
SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?,00000000), ref: 00428F14
SetTextColor.GDI32(?,00000000), ref: 00428F2C
SetBkColor.GDI32(?,00000000), ref: 00428F46
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
SelectObject.GDI32(?,00000000), ref: 00428FE6
SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
RealizePalette.GDI32(?), ref: 0042900D
DeleteDC.GDI32(?), ref: 004290A4

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetTextColor.GDI32(?,00000000), ref: 0042902B
SetBkColor.GDI32(?,00000000), ref: 00429045
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
SelectObject.GDI32(?,00000000), ref: 00429089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00458910, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64 Total matches: 3020window

Similarity

Total matches: 3020
API ID: GetWindowLongScreenToClient$GetWindowPlacementGetWindowRectIsIconic
String ID: ,
API String ID: 816554555-3772416878
Opcode ID: 33713ad712eb987f005f3c933c072ce84ce87073303cb20338137d5b66c4d54f
Instruction ID: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50
Opcode Fuzzy Hash: 34E0929A777C2018C58145A80943F5DB3519B5B7FAC55DF8036902895B110018B1B86D
Instruction Fuzzy Hash: 99fb2dd3f2d8984d329dcc6a20dc6bc7800d43894b91fc45d581d88d3a180e50

APIs

IsIconic.USER32(?), ref: 0045891F
GetWindowPlacement.USER32(?,0000002C), ref: 0045893C
GetWindowRect.USER32(?), ref: 00458955
GetWindowLongA.USER32(?,000000F0), ref: 00458963
GetWindowLongA.USER32(?,000000F8), ref: 00458978
ScreenToClient.USER32(00000000), ref: 00458985
ScreenToClient.USER32(00000000,?), ref: 00458990

Strings

,, xrefs: 00458928

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043B7D8, Relevance: 12.1, APIs: 8, Instructions: 72 Total matches: 256window

Similarity

Total matches: 256
API ID: ShowWindow$SetWindowLong$GetWindowLongIsIconicIsWindowVisible
String ID:
API String ID: 1329766111-0
Opcode ID: 851ee31c2da1c7e890e66181f8fd9237c67ccb8fd941b2d55d1428457ca3ad95
Instruction ID: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7
Opcode Fuzzy Hash: FEE0684A6E7C6CE4E26AE7048881B00514BE307A17DC00B00C722165A69E8830E4AC8E
Instruction Fuzzy Hash: 2d601e2c9dde570a1438639cb57e59d23a7ac9434ebe8ec1c9926e4533b8e8e7

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0043B7E8
IsIconic.USER32(?), ref: 0043B800
IsWindowVisible.USER32(?), ref: 0043B80C
ShowWindow.USER32(?,00000000), ref: 0043B840
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B855
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B866
ShowWindow.USER32(?,00000006), ref: 0043B881
ShowWindow.USER32(?,00000005), ref: 0043B88B

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043E644, Relevance: 10.9, APIs: 7, Instructions: 356 Total matches: 105windowCrypto

Similarity

Total matches: 105
API ID: RestoreDCSaveDC$GetParentGetWindowDCSetFocus
String ID:
API String ID: 1433148327-0
Opcode ID: c7c51054c34f8cc51c1d37cc0cdfc3fb3cac56433bd5d750a0ee7df42f9800ec
Instruction ID: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19
Opcode Fuzzy Hash: 60514740199E7193F47720842BC3BEAB09AF79671DC40F3616BC6318877F15A21AB70B
Instruction Fuzzy Hash: 9e67841575b56d9a11e2d3f15b67e7abce699d8469a9871b1b2609441fc85f19

APIs

Part of subcall function 00448224: SetActiveWindow.USER32(?), ref: 0044823F
Part of subcall function 00448224: SetFocus.USER32(00000000), ref: 00448289

SetFocus.USER32(00000000), ref: 0043E76F

Part of subcall function 0043F4F4: SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 0043F51B

Part of subcall function 0044D2F4: GetWindowThreadProcessId.USER32(?), ref: 0044D301
Part of subcall function 0044D2F4: GetCurrentProcessId.KERNEL32(?,00000000,?,004387ED,?,004378A9), ref: 0044D30A
Part of subcall function 0044D2F4: GlobalFindAtomA.KERNEL32(00000000), ref: 0044D31F
Part of subcall function 0044D2F4: GetPropA.USER32(?,00000000), ref: 0044D336

GetParent.USER32(?), ref: 0043E78A

Part of subcall function 00425108: InitializeCriticalSection.KERNEL32(00428600,004285C8,?,00000001,0042875E,?,?,?,004299D5,?,?,004297F5,?,0000000E,00000000,?), ref: 00425128

SaveDC.GDI32(?), ref: 0043E92D
RestoreDC.GDI32(?,?), ref: 0043E99E
GetWindowDC.USER32(00000000), ref: 0043EA0A
SaveDC.GDI32(?), ref: 0043EA41
RestoreDC.GDI32(?,?), ref: 0043EAA5

Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447F83
Part of subcall function 00447EF0: InvalidateRect.USER32(00000000,00000000,000000FF), ref: 00447FB6

Part of subcall function 004556F4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000077), ref: 004557E5
Part of subcall function 004556F4: _TrackMouseEvent.COMCTL32(00000010), ref: 00455A9D
Part of subcall function 004556F4: DefWindowProcA.USER32(00000000,?,?,?), ref: 00455AEF
Part of subcall function 004556F4: GetCapture.USER32 ref: 00455B5A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00471850, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97 Total matches: 34service

Similarity

Total matches: 34
API ID: CloseServiceHandle$CreateServiceOpenSCManager
String ID: Description$System\CurrentControlSet\Services\
API String ID: 2405299899-3489731058
Opcode ID: 96e252074fe1f6aca618bd4c8be8348df4b99afc93868a54bf7090803d280f0a
Instruction ID: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8
Opcode Fuzzy Hash: 7EF09E441FA6E84FA45EB84828533D651465713A78D4C77F19778379C34E84802EF662
Instruction Fuzzy Hash: 14b9cf690ce9596509c6229b802a5a61d158de39c8e329de654368bbb4824ff8

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00471976,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471890
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047193B), ref: 004718D1

Part of subcall function 004711E8: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 0047122E
Part of subcall function 004711E8: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 0047125A
Part of subcall function 004711E8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,?,00000000,00471291), ref: 00471269

CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00471926
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047192C

Strings

Description, xrefs: 00471916
System\CurrentControlSet\Services\, xrefs: 004718F7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004714B8, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 71service

Similarity

Total matches: 71
API ID: CloseServiceHandle$ControlServiceOpenSCManagerOpenServiceQueryServiceStatusStartService
String ID:
API String ID: 3657116338-0
Opcode ID: 1e9d444eec48d0e419340f6fec950ff588b94c8e7592a950f99d2ba7664d31f8
Instruction ID: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850
Opcode Fuzzy Hash: EDF0270D12C6E85FF119A88C1181B67D992DF56795E4A37E04715744CB1AE21008FA1E
Instruction Fuzzy Hash: f731b938185626ba78ad74946a73eac4c40bc8709c87a2b6d5c22da45b1e1850

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047159E), ref: 004714FD
OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047152D
StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471555
ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471563
QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 0047156D
CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471573
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,0047159E), ref: 00471579

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A070, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51 Total matches: 81shutdown

Similarity

Total matches: 81
API ID: AdjustTokenPrivilegesExitWindowsExGetCurrentProcessLookupPrivilegeValueOpenProcessToken
String ID: SeShutdownPrivilege
API String ID: 907618230-3733053543
Opcode ID: 6325c351eeb4cc5a7ec0039467aea46e8b54e3429b17674810d590d1af91e24f
Instruction ID: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392
Opcode Fuzzy Hash: 84D0124D3B7976B1F31D5D4001C47A6711FDBA322AD61670069507725A8DA091F4BE88
Instruction Fuzzy Hash: 66577e1e564058a64f67eda116e8e082f314cb3670dbe1b8773e92ba7f33d392

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 0048A083
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0048A089
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000000), ref: 0048A0A4
AdjustTokenPrivileges.ADVAPI32(00000002,00000000,00000002,00000010,?,?,00000000), ref: 0048A0E5
ExitWindowsEx.USER32(00000012,00000000), ref: 0048A0ED

Strings

SeShutdownPrivilege, xrefs: 0048A09D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004715B0, Relevance: 7.5, APIs: 5, Instructions: 49 Total matches: 102service

Similarity

Total matches: 102
API ID: CloseServiceHandle$DeleteServiceOpenSCManagerOpenService
String ID:
API String ID: 3460840894-0
Opcode ID: edfa3289dfdb26ec1f91a4a945de349b204e0a604ed3354c303b362bde8b8223
Instruction ID: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5
Opcode Fuzzy Hash: 01D02E841BA8F82FD4879988111239360C1AA23A90D8A37F08E08361D3ABE4004CF86A
Instruction Fuzzy Hash: 514bcffe4070602af344c66095507f6a8d55ec3e3e7bb18c804bf3b7deea95f5

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,0047162F), ref: 004715DB
OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 004715F5
DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471601
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 0047160E
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,0047162F), ref: 00471614

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A218, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45 Total matches: 35

Similarity

Total matches: 35
API ID: ShellExecuteEx
String ID: <$runas
API String ID: 188261505-1187129395
Opcode ID: 78fd917f465efea932f782085a819b786d64ecbded851ad2becd4a9c2b295cba
Instruction ID: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc
Opcode Fuzzy Hash: 44D0C2651799A06BC4A3B2C03C41B2B25307B13B48C0EB722960034CD38F080009EF85
Instruction Fuzzy Hash: 699417cfffd9d2823bf050fc300394e0ca4864bf277244f982f3937778f2d3bc

APIs

ShellExecuteExA.SHELL32(0000003C,00000000,0048A2A4), ref: 0048A283

Strings

runas, xrefs: 0048A268
<, xrefs: 0048A24C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F204, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266 Total matches: 2590libraryloader

Similarity

Total matches: 2590
API ID: GetProcAddress$LoadLibrary
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$[FILE]
API String ID: 2209490600-790253602
Opcode ID: d5b316937265a1d63c550ac9e6780b23ae603b9b00a4eb52bbd2495b45327185
Instruction ID: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1
Opcode Fuzzy Hash: 3A41197F44EC1149F6A0DA0830FF64324E669EAF2C0325F101587303717ADBF52A6AB9
Instruction Fuzzy Hash: cdd6db89471e363eb0c024dafd59dce8bdfa3de864d9ed8bc405e7c292d3cab1

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 0042F23A
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F252
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F264
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F276
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F288
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F29A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,0042F5B7), ref: 0042F2AC
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 0042F2BE
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 0042F2D0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 0042F2E2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 0042F2F4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 0042F306
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 0042F318
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 0042F32A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 0042F33C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 0042F34E
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 0042F360
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 0042F372
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 0042F384
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 0042F396
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 0042F3A8
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 0042F3BA
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F3CC
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 0042F3DE
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 0042F3F0
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 0042F402
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 0042F414
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 0042F426
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 0042F438
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 0042F44A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 0042F45C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 0042F46E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 0042F480
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 0042F492
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 0042F4A4
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 0042F4B6
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 0042F4C8
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 0042F4DA
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 0042F4EC
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 0042F4FE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 0042F510
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 0042F522
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 0042F534
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 0042F546
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 0042F558
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 0042F56A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 0042F57C
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 0042F58E

Strings

EnableTheming, xrefs: 0042F586
CloseThemeData, xrefs: 0042F25C
DrawThemeText, xrefs: 0042F280
GetThemePosition, xrefs: 0042F3C4
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F346
GetThemeBool, xrefs: 0042F38E
GetThemeTextMetrics, xrefs: 0042F2DA
IsThemeDialogTextureEnabled, xrefs: 0042F51A
GetThemeMetric, xrefs: 0042F36A
GetThemeSysInt, xrefs: 0042F4C0
GetThemeInt, xrefs: 0042F3A0
SetThemeAppProperties, xrefs: 0042F53E
IsAppThemed, xrefs: 0042F4E4
EnableThemeDialogTexture, xrefs: 0042F508
GetThemeEnumValue, xrefs: 0042F3B2
GetThemeSysSize, xrefs: 0042F48A
GetThemeTextExtent, xrefs: 0042F2C8
DrawThemeBackground, xrefs: 0042F26E
GetThemeBackgroundRegion, xrefs: 0042F2EC
IsThemeActive, xrefs: 0042F4D2
GetThemeBackgroundContentRect, xrefs: 0042F292, 0042F2A4
uxtheme.dll, xrefs: 0042F235
GetThemeSysString, xrefs: 0042F4AE
DrawThemeEdge, xrefs: 0042F310
GetThemeFilename, xrefs: 0042F442
GetThemeIntList, xrefs: 0042F40C
GetThemeSysBool, xrefs: 0042F478
GetThemeSysColor, xrefs: 0042F454
GetThemeFont, xrefs: 0042F3D6
GetWindowTheme, xrefs: 0042F4F6
GetThemeMargins, xrefs: 0042F3FA
GetThemeSysColorBrush, xrefs: 0042F466
GetCurrentThemeName, xrefs: 0042F550
GetThemeAppProperties, xrefs: 0042F52C
GetThemePropertyOrigin, xrefs: 0042F41E
OpenThemeData, xrefs: 0042F24A
GetThemeSysFont, xrefs: 0042F49C
GetThemeRect, xrefs: 0042F3E8
GetThemeDocumentationProperty, xrefs: 0042F562
IsThemePartDefined, xrefs: 0042F334
SetWindowTheme, xrefs: 0042F430
GetThemePartSize, xrefs: 0042F2B6
GetThemeColor, xrefs: 0042F358
DrawThemeParentBackground, xrefs: 0042F574
DrawThemeIcon, xrefs: 0042F322
GetThemeString, xrefs: 0042F37C
HitTestThemeBackground, xrefs: 0042F2FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00460DDC, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132 Total matches: 77libraryloader

Similarity

Total matches: 77
API ID: GetProcAddress$LoadLibrary
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$[FILE]$QueryWorkingSet
API String ID: 2209490600-4166134900
Opcode ID: aaefed414f62a40513f9ac2234ba9091026a29d00b8defe743cdf411cc1f958a
Instruction ID: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849
Opcode Fuzzy Hash: CC1125BF55AD1149CBA48A6C34EF70324D3399A90D4228F10A492317397DDFE49A1FB5
Instruction Fuzzy Hash: 585c55804eb58d57426aaf25b5bf4c27b161b10454f9e43d23d5139f544de849

APIs

LoadLibraryA.KERNEL32(PSAPI.dll), ref: 00460DF0
GetProcAddress.KERNEL32(00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll,?,00461159), ref: 00460E66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses,PSAPI.dll), ref: 00460E78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules,00000000,EnumProcesses), ref: 00460E8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,EnumProcessModules), ref: 00460E9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460EAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA,00000000,GetModuleFileNameExA), ref: 00460EC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA,00000000,GetModuleBaseNameA), ref: 00460ED2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW,00000000,GetModuleFileNameExA), ref: 00460EE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW,00000000,GetModuleBaseNameW), ref: 00460EF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation,00000000,GetModuleFileNameExW), ref: 00460F08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet,00000000,GetModuleInformation), ref: 00460F1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet,00000000,EmptyWorkingSet), ref: 00460F2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch,00000000,QueryWorkingSet), ref: 00460F3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,InitializeProcessForWsWatch), ref: 00460F50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F62
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA), ref: 00460F74
GetProcAddress.KERNEL32(00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA,00000000,GetDeviceDriverFileNameA), ref: 00460F86
GetProcAddress.KERNEL32(00000000,GetProcessMemoryInfo,00000000,EnumDeviceDrivers,00000000,GetDeviceDriverFileNameW,00000000,GetDeviceDriverBaseNameW,00000000,GetMappedFileNameW,00000000,GetDeviceDriverFileNameA,00000000,GetDeviceDriverBaseNameA,00000000,GetMappedFileNameA), ref: 00460F98

Strings

GetDeviceDriverFileNameA, xrefs: 00460F00, 00460F36
GetModuleInformation, xrefs: 00460E94
QueryWorkingSet, xrefs: 00460EB8
EnumProcessModules, xrefs: 00460E16
InitializeProcessForWsWatch, xrefs: 00460ECA
GetMappedFileNameA, xrefs: 00460EDC, 00460F12
GetDeviceDriverFileNameW, xrefs: 00460F6C
GetDeviceDriverBaseNameA, xrefs: 00460EEE, 00460F24
PSAPI.dll, xrefs: 00460DEB
EnumProcesses, xrefs: 00460E04
EnumDeviceDrivers, xrefs: 00460F7E
GetModuleBaseNameA, xrefs: 00460E28, 00460E4C
GetModuleFileNameExA, xrefs: 00460E3A, 00460E5E
GetDeviceDriverBaseNameW, xrefs: 00460F5A
EmptyWorkingSet, xrefs: 00460EA6
GetModuleFileNameExW, xrefs: 00460E82
GetModuleBaseNameW, xrefs: 00460E70
GetMappedFileNameW, xrefs: 00460F48
GetProcessMemoryInfo, xrefs: 00460F90

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0045D6E8, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95 Total matches: 1532libraryloader

Similarity

Total matches: 1532
API ID: GetProcAddress$SetErrorMode$GetModuleHandleLoadLibrary
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$[FILE]
API String ID: 4285671783-683095915
Opcode ID: 6332f91712b4189a2fbf9eac54066364acf4b46419cf90587b9f7381acad85db
Instruction ID: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72
Opcode Fuzzy Hash: 0A01257F24D863CBD2D0CE4934DB39D20B65787C0C8D6DF404605318697F9BF9295A68
Instruction Fuzzy Hash: 372e34bc737a7edc69a1909bd40661afaf820c1de602df88552da6e630419b72

APIs

SetErrorMode.KERNEL32(00008000), ref: 0045D701
GetModuleHandleA.KERNEL32(USER32,00000000,0045D84E,?,00008000), ref: 0045D725
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,0045D84E,?,00008000), ref: 0045D732
LoadLibraryA.KERNEL32(imm32.dll), ref: 0045D74E
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D770
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D785
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D79A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7AF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E,?,00008000), ref: 0045D7C4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,0045D84E), ref: 0045D7D9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 0045D7EE
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 0045D803
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045D818
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 0045D82D
SetErrorMode.KERNEL32(?,0045D855,00008000), ref: 0045D848

Strings

USER32, xrefs: 0045D720
ImmReleaseContext, xrefs: 0045D77A
ImmNotifyIME, xrefs: 0045D822
ImmIsIME, xrefs: 0045D80D
ImmGetConversionStatus, xrefs: 0045D78F
ImmSetCompositionFontA, xrefs: 0045D7E3
ImmGetCompositionStringA, xrefs: 0045D7F8
ImmSetCompositionWindow, xrefs: 0045D7CE
ImmGetContext, xrefs: 0045D765
imm32.dll, xrefs: 0045D749
ImmSetOpenStatus, xrefs: 0045D7B9
WINNLSEnableIME, xrefs: 0045D72C
ImmSetConversionStatus, xrefs: 0045D7A4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004104F0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141 Total matches: 3143

Similarity

Total matches: 3143
API ID: GetModuleHandle
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$[FILE]
API String ID: 2196120668-1102361026
Opcode ID: d04b3c176625d43589df9c4c1eaa1faa8af9b9c00307a8a09859a0e62e75f2dc
Instruction ID: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6
Opcode Fuzzy Hash: B8119E48E06A10BC356E3ED6B0292683F50A1A7CBF31D5388487AA46F067C083C0FF2D
Instruction Fuzzy Hash: 3e0e8e44f8653f56bfd54199f9d2ae0a6c5e1b9c712ee17d7f60e23d678113a6

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 004104F9

Part of subcall function 004104C4: GetProcAddress.KERNEL32(00000000), ref: 004104DD

Strings

VarMod, xrefs: 004105B7
VarBstrFromCy, xrefs: 004106A9
VarBstrFromBool, xrefs: 004106D5
VarAnd, xrefs: 004105CD
VarDateFromStr, xrefs: 00410667
oleaut32.dll, xrefs: 004104F4
VariantChangeTypeEx, xrefs: 00410507
VarCmp, xrefs: 0041060F
VarBstrFromDate, xrefs: 004106BF
VarBoolFromStr, xrefs: 00410693
VarR8FromStr, xrefs: 00410651
VarR4FromStr, xrefs: 0041063B
VarDiv, xrefs: 0041058B
VarSub, xrefs: 0041055F
VarNeg, xrefs: 0041051D
VarAdd, xrefs: 00410549
VarOr, xrefs: 004105E3
VarMul, xrefs: 00410575
VarI4FromStr, xrefs: 00410625
VarCyFromStr, xrefs: 0041067D
VarIdiv, xrefs: 004105A1
VarXor, xrefs: 004105F9
VarNot, xrefs: 00410533

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004291D0, Relevance: 31.7, APIs: 21, Instructions: 194 Total matches: 3060window

Similarity

Total matches: 3060
API ID: SelectObject$CreateCompatibleDCDeleteDCRealizePaletteSelectPaletteSetBkColor$BitBltCreateBitmapDeleteObjectGetDCGetObjectPatBltReleaseDC
String ID:
API String ID: 628774946-0
Opcode ID: fe3971f2977393a3c43567018b8bbe78de127415e632ac21538e816cc0dd5250
Instruction ID: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228
Opcode Fuzzy Hash: 2911294A05CCF32B64B579881983B261182FE43B52CABF7105979272CACF41740DE457
Instruction Fuzzy Hash: 6115c1c3159ef7867d394253bd6a45f4e10092e6f2e7cc69ab30c5ac2c74a228

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004291F3
GetDC.USER32(00000000), ref: 00429221
CreateCompatibleDC.GDI32(?), ref: 00429232
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042924D
SelectObject.GDI32(?,00000000), ref: 00429267
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429289
CreateCompatibleDC.GDI32(?), ref: 00429297
DeleteDC.GDI32(?), ref: 0042937D

Part of subcall function 00428B08: GetObjectA.GDI32(00000000,00000054,?), ref: 00428B88
Part of subcall function 00428B08: GetDC.USER32(00000000), ref: 00428B99
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000000), ref: 00428BAA
Part of subcall function 00428B08: CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00428BF6
Part of subcall function 00428B08: CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00428C1A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000C), ref: 00428C6A
Part of subcall function 00428B08: GetDeviceCaps.GDI32(00000028,0000000E), ref: 00428C77
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428D21
Part of subcall function 00428B08: GetDIBColorTable.GDI32(?,00000000,00000100,-00000027), ref: 00428D47
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428D72
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428D7F
Part of subcall function 00428B08: CreateDIBSection.GDI32(00000028,00000001,00000000,00000003,00000000,00000000), ref: 00428DD5
Part of subcall function 00428B08: GetDIBits.GDI32(?,00000000,00000000,?,00000000,00000001,00000000), ref: 00428E36
Part of subcall function 00428B08: SelectObject.GDI32(?,?), ref: 00428E77
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00428EB7
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 00428EC3
Part of subcall function 00428B08: FillRect.USER32(?,?,00000000), ref: 00428F14
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 00428F2C
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00428F46
Part of subcall function 00428B08: SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 00428F8E
Part of subcall function 00428B08: PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00428FB0
Part of subcall function 00428B08: CreateCompatibleDC.GDI32(00000028), ref: 00428FC3
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00428FE6
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,00000000), ref: 00429002
Part of subcall function 00428B08: RealizePalette.GDI32(?), ref: 0042900D
Part of subcall function 00428B08: SetTextColor.GDI32(?,00000000), ref: 0042902B
Part of subcall function 00428B08: SetBkColor.GDI32(?,00000000), ref: 00429045
Part of subcall function 00428B08: BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042906D
Part of subcall function 00428B08: SelectPalette.GDI32(?,00000000,000000FF), ref: 0042907F
Part of subcall function 00428B08: SelectObject.GDI32(?,00000000), ref: 00429089
Part of subcall function 00428B08: DeleteDC.GDI32(?), ref: 004290A4
Part of subcall function 00428B08: SelectPalette.GDI32(?,?,000000FF), ref: 004290CE

SelectObject.GDI32(?), ref: 004292DF
SelectPalette.GDI32(?,?,00000000), ref: 004292F2
RealizePalette.GDI32(?), ref: 004292FB
SelectPalette.GDI32(?,?,00000000), ref: 00429307
RealizePalette.GDI32(?), ref: 00429310
SetBkColor.GDI32(?), ref: 0042931A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042933E
SetBkColor.GDI32(?,00000000), ref: 00429348
SelectObject.GDI32(?,00000000), ref: 0042935B
DeleteObject.GDI32 ref: 00429367
SelectObject.GDI32(?,00000000), ref: 00429398
DeleteDC.GDI32(00000000), ref: 004293B4
ReleaseDC.USER32(00000000,00000000), ref: 004293C5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004031FC, Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110 Total matches: 169

Similarity

Total matches: 169
API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: a78e52ca640c3a7d11d18e4cac849d6c7481ab065be4a6ef34a7c34927dd7892
Instruction ID: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5
Opcode Fuzzy Hash: D0F054139ED4432360976B416872B44E2D0DF9564D2C01F185B62BE2F31E696D62F9DC
Instruction Fuzzy Hash: 5d6dbb870b020a65ba4fa9e31a5dda400ef744f15fc7bff5e21739e263984da5

APIs

CharNextA.USER32(00000000), ref: 00403208
CharNextA.USER32(00000000), ref: 00403236
CharNextA.USER32(00000000), ref: 00403240
CharNextA.USER32(00000000), ref: 0040325F
CharNextA.USER32(00000000), ref: 00403269
CharNextA.USER32(00000000), ref: 00403295
CharNextA.USER32(00000000), ref: 0040329F
CharNextA.USER32(00000000), ref: 004032C7
CharNextA.USER32(00000000), ref: 004032D1

Strings

", xrefs: 00403230
, xrefs: 004032E9
", xrefs: 0040328F
", xrefs: 0040321E
, xrefs: 00403214
", xrefs: 00403254
, xrefs: 00403278
", xrefs: 00403219
", xrefs: 004032BC

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004296E0, Relevance: 21.2, APIs: 14, Instructions: 217 Total matches: 2962window

Similarity

Total matches: 2962
API ID: GetDeviceCapsSelectObjectSelectPaletteSetStretchBltMode$CreateCompatibleDCDeleteDCGetBrushOrgExRealizePaletteSetBrushOrgExStretchBlt
String ID:
API String ID: 3308931694-0
Opcode ID: c4f23efe5e20e7f72d9787206ae9d4d4484ef6a1768b369050ebc0ce3d21af64
Instruction ID: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e
Opcode Fuzzy Hash: 2C21980A409CEB6BF0BB78840183F4A2285BF9B34ACD1BB210E64673635F04E40BD65F
Instruction Fuzzy Hash: 6e80a75276815f297b150d1899ec2451361d21afa1efcd092d0d7bc48a04164e

APIs

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

SelectPalette.GDI32(?,?,000000FF), ref: 00429723
RealizePalette.GDI32(?), ref: 00429732
GetDeviceCaps.GDI32(?,0000000C), ref: 00429744
GetDeviceCaps.GDI32(?,0000000E), ref: 00429753
GetBrushOrgEx.GDI32(?,?), ref: 00429786
SetStretchBltMode.GDI32(?,00000004), ref: 00429794
SetBrushOrgEx.GDI32(?,?,?,?), ref: 004297AC
SetStretchBltMode.GDI32(00000000,00000003), ref: 004297C9
SelectPalette.GDI32(?,?,000000FF), ref: 00429918

Part of subcall function 00429CFC: DeleteObject.GDI32(?), ref: 00429D1F

CreateCompatibleDC.GDI32(00000000), ref: 0042982A
SelectObject.GDI32(?,?), ref: 0042983F

Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00425D0B
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D20
Part of subcall function 00425CC8: MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029), ref: 00425D64
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425D7E
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425D8A
Part of subcall function 00425CC8: CreateCompatibleDC.GDI32(00000000), ref: 00425D9E
Part of subcall function 00425CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00425DBF
Part of subcall function 00425CC8: SelectObject.GDI32(?,?), ref: 00425DD4
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,00000000), ref: 00425DE8
Part of subcall function 00425CC8: SelectPalette.GDI32(?,?,00000000), ref: 00425DFA
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,000000FF), ref: 00425E0F
Part of subcall function 00425CC8: SelectPalette.GDI32(?,48080787,000000FF), ref: 00425E25
Part of subcall function 00425CC8: RealizePalette.GDI32(?), ref: 00425E31
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00425E53
Part of subcall function 00425CC8: StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00425E75
Part of subcall function 00425CC8: SetTextColor.GDI32(?,00000000), ref: 00425E7D
Part of subcall function 00425CC8: SetBkColor.GDI32(?,00FFFFFF), ref: 00425E8B
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00425EB7
Part of subcall function 00425CC8: StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00425EDC
Part of subcall function 00425CC8: SetTextColor.GDI32(?,?), ref: 00425EE6
Part of subcall function 00425CC8: SetBkColor.GDI32(?,?), ref: 00425EF0
Part of subcall function 00425CC8: SelectObject.GDI32(?,00000000), ref: 00425F03
Part of subcall function 00425CC8: DeleteObject.GDI32(?), ref: 00425F0C
Part of subcall function 00425CC8: SelectPalette.GDI32(?,00000000,00000000), ref: 00425F2E
Part of subcall function 00425CC8: DeleteDC.GDI32(?), ref: 00425F37

SelectObject.GDI32(?,00000000), ref: 0042989E
DeleteDC.GDI32(00000000), ref: 004298AD
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 004298F3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048D3C4, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 132 Total matches: 32

Similarity

Total matches: 32
API ID: GetVersionEx
String ID: Unknow$Windows 2000$Windows 7$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista$Windows XP
API String ID: 3908303307-3783844371
Opcode ID: 7b5a5832e5fd12129a8a2e2906a492b9449b8df28a17af9cc2e55bced20de565
Instruction ID: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae
Opcode Fuzzy Hash: 0C11ACC1EB6CE422E7B219486410BD59E805F8B83AFCCC343D63EA83E46D491419F22D
Instruction Fuzzy Hash: b844ed6b70e0e94de659292c354b68b9ed016400ab421bcb6baea74a0809c2ae

APIs

GetVersionExA.KERNEL32(00000094), ref: 0048D410

Strings

Windows Me, xrefs: 0048D4F2
Windows NT 4.0, xrefs: 0048D441
Windows 2000, xrefs: 0048D467
Windows 95, xrefs: 0048D4D6
Windows 7, xrefs: 0048D4B1
Unknow, xrefs: 0048D3F5
Windows Vista, xrefs: 0048D4A3
Windows Server 2003, xrefs: 0048D486
Windows XP, xrefs: 0048D478
Windows 98, xrefs: 0048D4E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C494, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102 Total matches: 27filememorythread

Similarity

Total matches: 27
API ID: CloseHandle$CreateFileCreateThreadFindResourceLoadResourceLocalAllocLockResourceSizeofResourceWriteFile
String ID: [FILE]
API String ID: 67866216-124780900
Opcode ID: 96c988e38e59b89ff17cc2eaece477f828ad8744e4a6eccd5192cfbc043553d8
Instruction ID: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9
Opcode Fuzzy Hash: D5F02B8A57A5E6A3F0003C841D423D286D55B13B20E582B62C57CB75C1FE24502AFB03
Instruction Fuzzy Hash: 630cc112895e8414539e3ba5b7ba0394fd4404f3832c6fa9d37db38bf09270f9

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 0048C4C3

Part of subcall function 00489BB0: GetTempPathA.KERNEL32(?,00000000), ref: 00489BEC

CreateFileA.KERNEL32(00000000,.dll,?,?,40000000,00000002,00000000), ref: 0048C50F
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC,?,?,?,?,00000000,00000000,00000000), ref: 0048C51F
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C528
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C52E
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0048C535
CloseHandle.KERNEL32(00000000), ref: 0048C53B
LocalAlloc.KERNEL32(00000040,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,00000080,00000000,00000000,0048C5AC), ref: 0048C544
CreateThread.KERNEL32(00000000,00000000,0048C3E4,00000000,00000000,?), ref: 0048C586
CloseHandle.KERNEL32(00000000), ref: 0048C58C

Strings

.dll, xrefs: 0048C4F4, 0048C565

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004328FC, Relevance: 18.1, APIs: 12, Instructions: 142 Total matches: 2670

Similarity

Total matches: 2670
API ID: GetSystemMetricsGetWindowLong$ExcludeClipRectFillRectGetSysColorBrushGetWindowDCGetWindowRectInflateRectOffsetRectReleaseDC
String ID:
API String ID: 3932036319-0
Opcode ID: 76064c448b287af48dc2af56ceef959adfeb7e49e56a31cb381aae6292753b0b
Instruction ID: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371
Opcode Fuzzy Hash: 03019760024F1233E0B31AC05DC7F127621ED45386CA4BBF28BF6A72C962AA7006F467
Instruction Fuzzy Hash: f04c829c48dd0ecc4740a09c532db4e7ffce190e9eba6ce852bb2d0274806371

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00432917
GetWindowRect.USER32(00000000,?), ref: 00432932
OffsetRect.USER32(?,?,?), ref: 00432947
GetWindowDC.USER32(00000000), ref: 00432955
GetWindowLongA.USER32(00000000,000000F0), ref: 00432986
GetSystemMetrics.USER32(00000002), ref: 0043299B
GetSystemMetrics.USER32(00000003), ref: 004329A4
InflateRect.USER32(?,000000FE,000000FE), ref: 004329B3
GetSysColorBrush.USER32(0000000F), ref: 004329E0
FillRect.USER32(?,?,00000000), ref: 004329EE
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00432A13
ReleaseDC.USER32(00000000,?), ref: 00432A51

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00402820, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254 Total matches: 200window

Similarity

Total matches: 200
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 1250089747-1256731999
Opcode ID: 490897b8e9acac750f9d51d50a768472c0795dbdc6439b18441db86d626ce938
Instruction ID: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85
Opcode Fuzzy Hash: 0731F44BA7DDC3A2D3E91303684575550E2A7C5537C888F609772317F6EE04250BAAAD
Instruction Fuzzy Hash: 76dfa530adb1b8c2cc13e2667be7c25ba156ed0594aa9714788bfb3d1a0eda85

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
String, xrefs: 00402A91
, xrefs: 00402B04
Unknown, xrefs: 00402A7C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F17C, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 116 Total matches: 33window

Similarity

Total matches: 33
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive$True
API String ID: 41250382-511446200
Opcode ID: 2a93bd2407602c988be198f02ecb64933adb9ffad78aee0f75abc9a1a22a1849
Instruction ID: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185
Opcode Fuzzy Hash: F5012D8237CECA73DA0AAEC47C00B80D5A5AF63224CC867A14A9D3D1D41ED06009AB4A
Instruction Fuzzy Hash: 8f95e1a452f283c9d6a5f9db166b7f7b6e325fa1ebf04232aa01919826a7e185

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F1D2
GetWindowPlacement.USER32(?,0000002C), ref: 0046F1ED
IsWindowVisible.USER32(?), ref: 0046F258

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

,, xrefs: 0046F1E1
Minimized, xrefs: 0046F225
Show/Unactive, xrefs: 0046F239
True, xrefs: 0046F2AA
Maximized, xrefs: 0046F1FD
Normal, xrefs: 0046F211
Normal/Unactive, xrefs: 0046F24D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E71C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109 Total matches: 2989

Similarity

Total matches: 2989
API ID: IntersectRect$GetSystemMetrics$EnumDisplayMonitorsGetClipBoxGetDCOrgExOffsetRect
String ID: EnumDisplayMonitors
API String ID: 2403121106-2491903729
Opcode ID: 52db4d6629bbd73772140d7e04a91d47a072080cb3515019dbe85a8b86b11587
Instruction ID: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77
Opcode Fuzzy Hash: 60F02B4B413C0863AD32BB953067E2601615BD3955C9F7BF34D077A2091B85B42EF643
Instruction Fuzzy Hash: b4557ab74b20c8893b9e8c5043286aecf6e43751f6ec849995a879e485a4fa77

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042E755
GetSystemMetrics.USER32(00000000), ref: 0042E77A
GetSystemMetrics.USER32(00000001), ref: 0042E785
GetClipBox.GDI32(?,?), ref: 0042E797
GetDCOrgEx.GDI32(?,?), ref: 0042E7A4
OffsetRect.USER32(?,?,?), ref: 0042E7BD
IntersectRect.USER32(?,?,?), ref: 0042E7CE
IntersectRect.USER32(?,?,?), ref: 0042E7E4
IntersectRect.USER32(?,?,?), ref: 0042E804

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

EnumDisplayMonitors, xrefs: 0042E734

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044D1B0, Relevance: 16.6, APIs: 11, Instructions: 91 Total matches: 309

Similarity

Total matches: 309
API ID: GetWindowLongSetWindowLong$SetProp$IsWindowUnicode
String ID:
API String ID: 2416549522-0
Opcode ID: cc33e88019e13a6bdd1cd1f337bb9aa08043e237bf24f75c2294c70aefb51ea5
Instruction ID: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692
Opcode Fuzzy Hash: 47F09048455D92E9CE316990181BFEB6098AF57F91CE86B0469C2713778E50F079BCC2
Instruction Fuzzy Hash: d84664f19a4f46d6539516d273d2e447774350a85e58f970142feaf3bff04692

APIs

IsWindowUnicode.USER32(?), ref: 0044D1CA
SetWindowLongW.USER32(?,000000FC,?), ref: 0044D1E5
GetWindowLongW.USER32(?,000000F0), ref: 0044D1F0
GetWindowLongW.USER32(?,000000F4), ref: 0044D202
SetWindowLongW.USER32(?,000000F4,?), ref: 0044D215
SetWindowLongA.USER32(?,000000FC,?), ref: 0044D22E
GetWindowLongA.USER32(?,000000F0), ref: 0044D239
GetWindowLongA.USER32(?,000000F4), ref: 0044D24B
SetWindowLongA.USER32(?,000000F4,?), ref: 0044D25E
SetPropA.USER32(?,00000000,00000000), ref: 0044D275
SetPropA.USER32(?,00000000,00000000), ref: 0044D28C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048A8AC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 146 Total matches: 45fileprocesssynchronization

Similarity

Total matches: 45
API ID: CloseHandle$CreateFile$CreateProcessWaitForSingleObject
String ID: D
API String ID: 1169714791-2746444292
Opcode ID: 9fb844b51f751657abfdf9935c21911306aa385a3997c9217fbe2ce6b668f812
Instruction ID: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6
Opcode Fuzzy Hash: 4D11E6431384F3F3F1A567002C8275185D6DB45A78E6D9752D6B6323EECB40A16CF94A
Instruction Fuzzy Hash: 79e473b7fda91be69f4d7f417df14a4c992ec25b9310636d694ca9e09f5cc5b6

APIs

Part of subcall function 0040A26C: GetFileAttributesA.KERNEL32(00000000,?,0048F947,.dcp,?,?,00000000,0048FA09,?,00000000,00490656,?,?,?,?,0000002F), ref: 0040A277

CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000004,00000100,00000000), ref: 0048A953
CreateFileA.KERNEL32(?,C0000000,00000003,0000000C,00000002,00000100,00000000), ref: 0048A98D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000110,00000000,00000000,00000044,?), ref: 0048AA10
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048AA2D
CloseHandle.KERNEL32(00000000), ref: 0048AA68
CloseHandle.KERNEL32(00000000), ref: 0048AA77
CloseHandle.KERNEL32(00000000), ref: 0048AA86
CloseHandle.KERNEL32(00000000), ref: 0048AA95

Strings

D, xrefs: 0048A9BB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F3B8, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetWindowPlacementGetWindowText
String ID: ,$False$Maximized$Minimized$Normal$Normal/Unactive$Show/Unactive
API String ID: 3194812178-3661939895
Opcode ID: 6e67ebc189e59b109926b976878c05c5ff8e56a7c2fe83319816f47c7d386b2c
Instruction ID: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610
Opcode Fuzzy Hash: DC012BC22786CE23E606A9C47A00BD0CE65AFB261CCC867E14FEE3C5D57ED100089B96
Instruction Fuzzy Hash: 05c2a068ec8248d3d24fb73124f2ba0192b7bb261c799db9564259cde8fcc610

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F40E
GetWindowPlacement.USER32(?,0000002C), ref: 0046F429

Part of subcall function 0046F148: GetWindow.USER32(?,00000005), ref: 0046F156
Part of subcall function 0046F148: GetWindow.USER32(00000000,00000002), ref: 0046F164

Strings

Maximized, xrefs: 0046F439
,, xrefs: 0046F41D
False, xrefs: 0046F4D6
Show/Unactive, xrefs: 0046F475
Normal, xrefs: 0046F44D
Minimized, xrefs: 0046F461
Normal/Unactive, xrefs: 0046F489

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00456278, Relevance: 15.2, APIs: 10, Instructions: 197 Total matches: 3025

Similarity

Total matches: 3025
API ID: GetWindowLong$IntersectClipRectRestoreDCSaveDC
String ID:
API String ID: 3006731778-0
Opcode ID: 42e9e34b880910027b3e3a352b823e5a85719ef328f9c6ea61aaf2d3498d6580
Instruction ID: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4
Opcode Fuzzy Hash: 4621F609168D5267EC7B75806993BAA7111FB82B88CD1F7321AA1171975B80204BFA07
Instruction Fuzzy Hash: 4204c0258dd60c0c2688d7e8ce7edc9cd036ce1826430425374ca7ebdb7834a4

APIs

SaveDC.GDI32(?), ref: 00456295

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004562CE
GetWindowLongA.USER32(00000000,000000EC), ref: 004562E2
GetWindowLongA.USER32(00000000,000000F0), ref: 00456303

Part of subcall function 00456278: SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00456363
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004563D3
Part of subcall function 00456278: SetRect.USER32(?,00000000,00000000,?,?), ref: 004563F4
Part of subcall function 00456278: DrawEdge.USER32(?,?,00000000,00000000), ref: 00456403
Part of subcall function 00456278: IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045642C

RestoreDC.GDI32(?,?), ref: 004564AB

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044155C, Relevance: 15.1, APIs: 10, Instructions: 74 Total matches: 3192window

Similarity

Total matches: 3192
API ID: DeleteMenu$EnableMenuItem$GetSystemMenu
String ID:
API String ID: 3542995237-0
Opcode ID: 6b257927fe0fdeada418aad578b82fbca612965c587f2749ccb5523ad42afade
Instruction ID: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578
Opcode Fuzzy Hash: 0AF0D09DD98F1151E6F500410C47B83C08AFF413C5C245B380583217EFA9D25A5BEB0E
Instruction Fuzzy Hash: 893a823d17f08dbb77c029e00a28485b554c66551bd1c50c1346294f89d5b578

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 004415A7
DeleteMenu.USER32(00000000,0000F130,00000000), ref: 004415C5
DeleteMenu.USER32(00000000,00000007,00000400), ref: 004415D2
DeleteMenu.USER32(00000000,00000005,00000400), ref: 004415DF
DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004415EC
DeleteMenu.USER32(00000000,0000F020,00000000), ref: 004415F9
DeleteMenu.USER32(00000000,0000F000,00000000), ref: 00441606
DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00441613
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00441631
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044164D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040281E, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188 Total matches: 190window

Similarity

Total matches: 190
API ID: MessageBox
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 1250089747-980038931
Opcode ID: 1669ecd234b97cdbd14c3df7a35b1e74c6856795be7635a3e0f5130a3d9bc831
Instruction ID: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559
Opcode Fuzzy Hash: 8E21F44B67EED392D3EA1303384575540E3ABC5537D888F60977232BF6EE14140BAA9D
Instruction Fuzzy Hash: 2e60dbe28dcd1d3aa5670394eea0bc97309ab4bc9661f15f320bab8b5d4cd559

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402BBE

Strings

An unexpected memory leak has occurred. , xrefs: 00402980
, xrefs: 00402B04
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B39
The unexpected small block leaks are:, xrefs: 004029F7
Unexpected Memory Leak, xrefs: 00402BB0
7, xrefs: 00402991
bytes: , xrefs: 00402A4D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004710F0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66 Total matches: 37

Similarity

Total matches: 37
API ID: GetWindowShowWindow$FindWindowGetClassName
String ID: BUTTON$Shell_TrayWnd
API String ID: 2948047570-3627955571
Opcode ID: 9e064d9ead1b610c0c1481de5900685eb7d76be14ef2e83358ce558d27e67668
Instruction ID: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c
Opcode Fuzzy Hash: 68E092CC17B5D469B71A2789284236241D5C763A35C18B752D332376DF8E58021EE60A
Instruction Fuzzy Hash: d360bd029940f6fa4d12d7627fe3e8b46839e67e31e965d43504e39a11938d6c

APIs

FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0047111D
GetWindow.USER32(00000000,00000005), ref: 00471125
GetClassNameA.USER32(00000000,?,00000080), ref: 0047113D
ShowWindow.USER32(00000000,00000001), ref: 0047117C
ShowWindow.USER32(00000000,00000000), ref: 00471186
GetWindow.USER32(00000000,00000002), ref: 0047118E

Strings

BUTTON, xrefs: 00471168
Shell_TrayWnd, xrefs: 00471118

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004564D0, Relevance: 13.7, APIs: 9, Instructions: 177 Total matches: 190window

Similarity

Total matches: 190
API ID: SelectObject$BeginPaintBitBltCreateCompatibleBitmapCreateCompatibleDCSetWindowOrgEx
String ID:
API String ID: 1616898104-0
Opcode ID: 00b711a092303d63a394b0039c66d91bff64c6bf82b839551a80748cfcb5bf1e
Instruction ID: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913
Opcode Fuzzy Hash: 14115B85024DA637E8739CC85E83F962294F307D48C91F7729BA31B2C72F15600DD293
Instruction Fuzzy Hash: 1affb125a654ca7596d0e4f6c4811def945eff925a29ebecd1c68cf0f38a7913

APIs

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

BeginPaint.USER32(00000000,?), ref: 004565EA
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00456600
CreateCompatibleDC.GDI32(00000000), ref: 00456617
SelectObject.GDI32(?,?), ref: 00456627
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0045664B

Part of subcall function 004564D0: BeginPaint.USER32(00000000,?), ref: 0045653C
Part of subcall function 004564D0: EndPaint.USER32(00000000,?), ref: 004565D0

BitBlt.GDI32(00000000,?,?,?,?,?,?,?,00CC0020), ref: 00456699
SelectObject.GDI32(?,?), ref: 004566B3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004840D8, Relevance: 13.6, APIs: 9, Instructions: 150 Total matches: 30

Similarity

Total matches: 30
API ID: CloseHandleGetTokenInformationLookupAccountSid$GetLastErrorOpenProcessOpenProcessToken
String ID:
API String ID: 1387212650-0
Opcode ID: 55fc45e655e8bcad6bc41288bae252f5ee7be0b7cb976adfe173a6785b05be5f
Instruction ID: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3
Opcode Fuzzy Hash: 3901484A17CA2293F53BB5C82483FEA1215E702B45D48B7A354F43A59A5F45A13BF702
Instruction Fuzzy Hash: 4c6b5abeafcca947752a893948ed48d42e020b1fe5683f4a654fc51f6199c0a3

APIs

OpenProcess.KERNEL32(00000400,00000000,?,00000000,00484275), ref: 00484108
OpenProcessToken.ADVAPI32(00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 0048411E
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484139
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,?,?,?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000), ref: 00484168
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,?,00000000,00000008,?,00000400,00000000,?,00000000,00484275), ref: 00484177
CloseHandle.KERNEL32(?), ref: 00484185
LookupAccountSidA.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004841B4
LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00484205
CloseHandle.KERNEL32(00000000), ref: 00484255

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00451458, Relevance: 13.6, APIs: 9, Instructions: 122 Total matches: 3040window

Similarity

Total matches: 3040
API ID: PatBlt$SelectObject$GetDCExGetDesktopWindowReleaseDC
String ID:
API String ID: 2402848322-0
Opcode ID: 0b1cd19b0e82695ca21d43bacf455c9985e1afa33c1b29ce2f3a7090b744ccb2
Instruction ID: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593
Opcode Fuzzy Hash: C2F0B4482AADF707C8B6350915C7F79224AED736458F4BB694DB4172CBAF27B014D093
Instruction Fuzzy Hash: bbb2561b9e1adfa57c862125ee202da58d52e59279f68cb9b8d91e8b02977593

APIs

GetDesktopWindow.USER32 ref: 0045148F
GetDCEx.USER32(?,00000000,00000402), ref: 004514A2

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

SelectObject.GDI32(?,00000000), ref: 004514C5
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004514EB
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0045150D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0045152C
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00451546
SelectObject.GDI32(?,?), ref: 00451553
ReleaseDC.USER32(?,?), ref: 0045156D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004117E8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: f440f800a6dcfa6827f62dcd7c23166eba4d720ac19948e634cff8498f9e3f0b
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 4D113503239AAB83B0257B804C83F24D1D0DE42D36ACD97B8C672693F32601561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411881
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041189D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004118D6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411953
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0041196C
VariantCopy.OLEAUT32(?), ref: 004119A1

Strings

, xrefs: 00411802

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048AC14, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110 Total matches: 30

Similarity

Total matches: 30
API ID: GetCurrentProcessGetTokenInformationLookupPrivilegeDisplayNameLookupPrivilegeNameOpenProcessToken
String ID: GetTokenInformation error$OpenProcessToken error
API String ID: 34442935-1842041635
Opcode ID: 07715b92dc7caf9e715539a578f275bcd2bb60a34190f84cc6cf05c55eb8ea49
Instruction ID: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b
Opcode Fuzzy Hash: 9101994303ACF753F62929086842BDA0550DF534A5EC4AB6281746BEC90F28203AFB57
Instruction Fuzzy Hash: 380ab001647c8b3903b6034fc21424389ae21c1771cfbd9cf9b74ae493e33b6b

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,0048AD60), ref: 0048AC51
OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0048AD60), ref: 0048AC57
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000320,?,00000000,00000028,?,00000000,0048AD60), ref: 0048AC7D
LookupPrivilegeDisplayNameA.ADVAPI32(00000000,00000000,00000000,000000FF,?), ref: 0048ACEE

Part of subcall function 00489B40: MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00489B84

LookupPrivilegeNameA.ADVAPI32(00000000,?,00000000,000000FF), ref: 0048ACDD

Strings

GetTokenInformation error, xrefs: 0048AC86
OpenProcessToken error, xrefs: 0048AC60

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E4A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68 Total matches: 2853string

Similarity

Total matches: 2853
API ID: GetSystemMetrics$GetMonitorInfoSystemParametersInfolstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 3432438702-1633989206
Opcode ID: eae47ffeee35c10db4cae29e8a4ab830895bcae59048fb7015cdc7d8cb0a928b
Instruction ID: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4
Opcode Fuzzy Hash: 28E068803A699081F86A71027110F4912B07AE7E47D883B92C4777051BD78265B91D01
Instruction Fuzzy Hash: 74142331967dee0409fd24cf408a58a7466f2520650418456c75ade1e3029da4

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042E4D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042E4F8
GetSystemMetrics.USER32(00000000), ref: 0042E50D
GetSystemMetrics.USER32(00000001), ref: 0042E518
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0042E542

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

DISPLAY, xrefs: 0042E539
GetMonitorInfo, xrefs: 0042E4B8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004052FC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38 Total matches: 3072filewindow

Similarity

Total matches: 3072
API ID: GetStdHandleWriteFile$MessageBox
String ID: Error$Runtime error at 00000000
API String ID: 877302783-2970929446
Opcode ID: a2f2a555d5de0ed3a3cdfe8a362fd9574088acc3a5edf2b323f2c4251b80d146
Instruction ID: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97
Opcode Fuzzy Hash: FED0A7C68438479FA141326030C4B2A00133F0762A9CC7396366CB51DFCF4954BCDD05
Instruction Fuzzy Hash: cdc924bf06905c118f3c9eee16664e37adfa790b58fcfa789437bc4946bdea97

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405335
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 0040533B
GetStdHandle.KERNEL32(000000F5,00405384,00000002,?,00000000,00000000,?,004053C3,?,?,?,00000001,0040546E,00403003,0040304A), ref: 00405350
WriteFile.KERNEL32(00000000,000000F5,00405384,00000002,?), ref: 00405356
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00405374

Strings

Error, xrefs: 00405368
Runtime error at 00000000, xrefs: 0040532E, 0040536D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E0DC, Relevance: 12.1, APIs: 8, Instructions: 100 Total matches: 31registry

Similarity

Total matches: 31
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteValue
String ID:
API String ID: 2702562355-0
Opcode ID: ff1bffc0fc9da49c543c68ea8f8c068e074332158ed00d7e0855fec77d15ce10
Instruction ID: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c
Opcode Fuzzy Hash: 00F0AD0155E9A353EBF654C41E127DB2082FF43A44D08FFB50392139D3DF581028E663
Instruction Fuzzy Hash: bb6f8a9e936068d281b70d3ea2ea02ff1a791729bc38357734c580253c916b5c

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E15A
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?,00000000,0046E238), ref: 0046E17D
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F,80000000,00000000,00000000,000F003F,?), ref: 0046E19D
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,0046E23F), ref: 0046E1BD
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E1DD
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E1FD
RegDeleteValueA.ADVAPI32(?,00000000,00000000,0046E238), ref: 0046E20F
RegCloseKey.ADVAPI32(?,?,00000000,00000000,0046E238), ref: 0046E218

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004462F4, Relevance: 12.1, APIs: 8, Instructions: 99 Total matches: 293windowthread

Similarity

Total matches: 293
API ID: SendMessage$GetWindowThreadProcessId$GetCaptureGetParentIsWindowUnicode
String ID:
API String ID: 2317708721-0
Opcode ID: 8f6741418f060f953fc426fb00df5905d81b57fcb2f7a38cdc97cb0aab6d7365
Instruction ID: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5
Opcode Fuzzy Hash: D0F09E15071D1844F89FA7844CD3F1F0150E73726FC516A251861D07BB2640586DEC40
Instruction Fuzzy Hash: 027f2b09132ef415e1641618d15c0fc03404835376b0cbd1c352fc703b58c8b5

APIs

GetCapture.USER32 ref: 0044631A
GetParent.USER32(00000000), ref: 00446340
IsWindowUnicode.USER32(00000000), ref: 0044635D
SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E244, Relevance: 12.1, APIs: 8, Instructions: 95 Total matches: 27registry

Similarity

Total matches: 27
API ID: RegOpenKeyEx$RegCloseKeyRegDeleteKey
String ID:
API String ID: 1588268847-0
Opcode ID: efa1fa3a126963e045954320cca245066a4b5764b694b03be027155e6cf74c33
Instruction ID: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf
Opcode Fuzzy Hash: 70F0810454D99393EFF268C81A627EB2492FF53141C00BFB603D222A93DF191428E663
Instruction Fuzzy Hash: 786d86d630c0ce6decb55c8266b1f23f89dbfeab872e22862efc69a80fb541cf

APIs

RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2B7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000,0046E391), ref: 0046E2DA
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000,00000000,00000000,000F003F,?,00000000), ref: 0046E2FA
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001,00000000,00000000,000F003F,?,80000000), ref: 0046E31A
RegOpenKeyExA.ADVAPI32(80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002,00000000,00000000,000F003F,?,80000001), ref: 0046E33A
RegOpenKeyExA.ADVAPI32(80000006,00000000,00000000,000F003F,?,80000005,00000000,00000000,000F003F,?,80000003,00000000,00000000,000F003F,?,80000002), ref: 0046E35A
RegDeleteKeyA.ADVAPI32(?,0046E39C), ref: 0046E368
RegCloseKey.ADVAPI32(?,?,0046E39C,00000000,0046E391), ref: 0046E371

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426060, Relevance: 12.1, APIs: 8, Instructions: 79 Total matches: 3072window

Similarity

Total matches: 3072
API ID: GetSystemPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 3774187343-0
Opcode ID: c8a1f0028bda89d06ba34fecd970438ce26e4f5bd606e2da3d468695089984a8
Instruction ID: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02
Opcode Fuzzy Hash: 82F0E9420739F3B3B21723492453B548250FF006B8F195B7095A2A37D54B486A08D65A
Instruction Fuzzy Hash: 0cfe958825060108f21fe327ec74807f3ea840bb8274bad68fd1d00675d59d02

APIs

GetDC.USER32(00000000), ref: 0042608E
GetDeviceCaps.GDI32(?,00000068), ref: 004260AA
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004260C9
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004260ED
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0042610B
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0042611F
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0042613F
ReleaseDC.USER32(00000000,?), ref: 00426157

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434550, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177 Total matches: 2669window

Similarity

Total matches: 2669
API ID: InsertMenu$GetVersionInsertMenuItem
String ID: ,$?
API String ID: 1158528009-2308483597
Opcode ID: 3691d3eb49acf7fe282d18733ae3af9147e5be4a4a7370c263688d5644077239
Instruction ID: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209
Opcode Fuzzy Hash: 7021C07202AE81DBD414788C7954F6221B16B5465FD49FF210329B5DD98F156003FF7A
Instruction Fuzzy Hash: d88e58a9695d0ecde36b26a9ed5775f3b98e27f7dc2108173ae1ec2afbf22209

APIs

GetVersion.KERNEL32(00000000,004347A1), ref: 004345EC
InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004346F5
InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 0043477E

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00434765

Strings

?, xrefs: 00434607
,, xrefs: 00434600

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00446524, Relevance: 10.6, APIs: 7, Instructions: 105 Total matches: 329window

Similarity

Total matches: 329
API ID: PeekMessage$DispatchMessage$IsWindowUnicodeTranslateMessage
String ID:
API String ID: 94033680-0
Opcode ID: 72d0e2097018c2d171db36cd9dd5c7d628984fd68ad100676ade8b40d7967d7f
Instruction ID: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072
Opcode Fuzzy Hash: A2F0F642161A8221F90E364651E2FC06559E31F39CCD1D3871165A4192DF8573D6F95C
Instruction Fuzzy Hash: b3581f7210794b57d406096c46509e1a6dcc6e0b3c60c7d01b5c3c410123a072

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00446538
IsWindowUnicode.USER32 ref: 0044654C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044656D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00446583

Part of subcall function 00447DD0: GetCapture.USER32 ref: 00447DDA
Part of subcall function 00447DD0: GetParent.USER32(00000000), ref: 00447E08

Part of subcall function 004462A4: TranslateMDISysAccel.USER32(?), ref: 004462E3

Part of subcall function 004462F4: GetCapture.USER32 ref: 0044631A
Part of subcall function 004462F4: GetParent.USER32(00000000), ref: 00446340
Part of subcall function 004462F4: IsWindowUnicode.USER32(00000000), ref: 0044635D
Part of subcall function 004462F4: SendMessageW.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446378
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 00446397
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(00000000), ref: 004463A6
Part of subcall function 004462F4: GetWindowThreadProcessId.USER32(?,?), ref: 004463B4
Part of subcall function 004462F4: SendMessageA.USER32(00000000,-0000BBEE,015B8130,?), ref: 004463D4

Part of subcall function 0044625C: IsWindowUnicode.USER32(00000000), ref: 00446270
Part of subcall function 0044625C: IsDialogMessageW.USER32(?), ref: 00446281
Part of subcall function 0044625C: IsDialogMessageA.USER32(?,?,00000000,015B8130,00000001,00446607,?,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 00446296

TranslateMessage.USER32 ref: 0044660C
DispatchMessageW.USER32 ref: 00446618
DispatchMessageA.USER32 ref: 00446620

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004282D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99 Total matches: 1938

Similarity

Total matches: 1938
API ID: GetWinMetaFileBitsMulDiv$GetDC
String ID: `
API String ID: 1171737091-2679148245
Opcode ID: 97e0afb71fd3017264d25721d611b96d1ac3823582e31f119ebb41a52f378edb
Instruction ID: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6
Opcode Fuzzy Hash: B6F0ACC4008CD2A7D87675DC1043F6311C897CA286E89BB739226A7307CB0AA019EC47
Instruction Fuzzy Hash: fd1c75cb27f8ccc4a85bc281ca680933f7ff10ae91a160973978cac80d6b42b6

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428322
MulDiv.KERNEL32(?,?,000009EC), ref: 00428339
GetDC.USER32(00000000), ref: 00428350
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 00428374
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 004283A7

Part of subcall function 00425A70: GetLastError.KERNEL32(00000000,00425B0C), ref: 00425A90
Part of subcall function 00425A70: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00425B0C), ref: 00425AB6

Strings

`, xrefs: 00428308

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444344, Relevance: 10.6, APIs: 7, Instructions: 89 Total matches: 2886

Similarity

Total matches: 2886
API ID: CreateFontIndirect$GetStockObjectSystemParametersInfo
String ID:
API String ID: 1286667049-0
Opcode ID: beeb678630a8d2ca0f721ed15124802961745e4c56d7c704ecddf8ebfa723626
Instruction ID: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc
Opcode Fuzzy Hash: 00F0A4C36341F6F2D8993208742172161E6A74AE78C7CFF62422930ED2661A052EEB4F
Instruction Fuzzy Hash: b9276e4cea0afd1028da4d528d34847b13dbaab52dc8e94e54053a20ac38a9fc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00444399
CreateFontIndirectA.GDI32(?), ref: 004443A6
GetStockObject.GDI32(0000000D), ref: 004443BC
SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004443E5
CreateFontIndirectA.GDI32(?), ref: 004443F5
CreateFontIndirectA.GDI32(?), ref: 0044440E

Part of subcall function 00424A5C: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424A69

GetStockObject.GDI32(0000000D), ref: 00444434

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428A00, Relevance: 10.6, APIs: 7, Instructions: 66 Total matches: 3056

Similarity

Total matches: 3056
API ID: SelectObject$CreateCompatibleDCDeleteDCGetDCReleaseDCSetDIBColorTable
String ID:
API String ID: 2399757882-0
Opcode ID: e05996493a4a7703f1d90fd319a439bf5e8e75d5a5d7afaf7582bfea387cb30d
Instruction ID: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f
Opcode Fuzzy Hash: 73E0DF8626D8F38BE435399C15C2BB202EAD763D20D1ABBA1CD712B5DB6B09701CE107
Instruction Fuzzy Hash: 90c847b5b2251fbb5b2f14fd0b24f537c214c92e226752d9278a3821f2f40b8f

APIs

Part of subcall function 004262B4: GetObjectA.GDI32(?,00000004), ref: 004262CB
Part of subcall function 004262B4: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004262EE

GetDC.USER32(00000000), ref: 00428A3E
CreateCompatibleDC.GDI32(?), ref: 00428A4A
SelectObject.GDI32(?), ref: 00428A57
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 00428A7B
SelectObject.GDI32(?,?), ref: 00428A95
DeleteDC.GDI32(?), ref: 00428A9E
ReleaseDC.USER32(00000000,?), ref: 00428AA9

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004442A8, Relevance: 10.6, APIs: 7, Instructions: 57 Total matches: 3149threadwindow

Similarity

Total matches: 3149
API ID: SendMessage$GetCurrentThreadIdGetCursorPosGetWindowThreadProcessIdSetCursorWindowFromPoint
String ID:
API String ID: 3843227220-0
Opcode ID: 636f8612f18a75fc2fe2d79306f1978e6c2d0ee500cce15a656835efa53532b4
Instruction ID: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa
Opcode Fuzzy Hash: 6FE07D44093723D5C0644A295640705A6C6CB96630DC0DB86C339580FBAD0214F0BC92
Instruction Fuzzy Hash: 91a0691e93be75cbd792bc1c5d11451005bcc187603754b99125f381020161aa

APIs

GetCursorPos.USER32 ref: 004442C3
WindowFromPoint.USER32(?,?), ref: 004442D0
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004442DE
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 004442E5
SendMessageA.USER32(00000000,00000084,00000000,?), ref: 0044430E
SendMessageA.USER32(00000000,00000020,00000000,?), ref: 00444320
SetCursor.USER32(00000000), ref: 00444332

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00404448, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49 Total matches: 63registry

Similarity

Total matches: 63
API ID: RegCloseKeyRegOpenKeyExRegQueryValueEx
String ID: &$FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 2249749755-409351
Opcode ID: ab90adbf7b939076b4d26ef1005f34fa32d43ca05e29cbeea890055cc8b783db
Instruction ID: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0
Opcode Fuzzy Hash: 58D02BE10C9A675FB6B071543292B6310A3F72AA8CC0077326DD03A0D64FD26178CF03
Instruction Fuzzy Hash: ce62e3bb234767a160e82b0d7d36def6f0e4d1aa0fd43ed305e6d49589b0b3e0

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040446A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040449D
RegCloseKey.ADVAPI32(?,004044C0,00000000,?,00000004,00000000,&,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004044B3

Strings

&, xrefs: 00404476
FPUMaskValue, xrefs: 00404494
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404460

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043EC18, Relevance: 9.2, APIs: 6, Instructions: 150 Total matches: 2896

Similarity

Total matches: 2896
API ID: FillRect$BeginPaintEndPaintGetClientRectGetWindowRect
String ID:
API String ID: 2931688664-0
Opcode ID: 677a90f33c4a0bae1c1c90245e54b31fe376033ebf9183cf3cf5f44c7b342276
Instruction ID: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552
Opcode Fuzzy Hash: 9711994A819E5007F47B49C40887BEA1092FBC1FDBCC8FF7025A426BCB0B60564F860B
Instruction Fuzzy Hash: 65c0a0a89661e183b73f48e61e48bee5eb6d6399339ac08e0e21072a38132552

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

FillRect.USER32(?,?), ref: 0043EC91
GetClientRect.USER32(00000000,?), ref: 0043ECBC
FillRect.USER32(?,?,00000000), ref: 0043ECDB

Part of subcall function 0043EB8C: CallWindowProcA.USER32(?,?,?,?,?), ref: 0043EBC6

Part of subcall function 0043B78C: GetWindowLongA.USER32(?,000000EC), ref: 0043B799
Part of subcall function 0043B78C: SetWindowLongA.USER32(?,000000EC,00000000), ref: 0043B7BC
Part of subcall function 0043B78C: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0043B7CE

BeginPaint.USER32(?,?), ref: 0043ED53
GetWindowRect.USER32(?,?), ref: 0043ED80

Part of subcall function 0044EEA0: GetWindowOrgEx.GDI32(?), ref: 0044EEAE
Part of subcall function 0044EEA0: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044EEC4

Part of subcall function 00455D50: BeginPaint.USER32(00000000,?), ref: 00455D7B
Part of subcall function 00455D50: SaveDC.GDI32(00000000), ref: 00455DB4
Part of subcall function 00455D50: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00455E36
Part of subcall function 00455D50: RestoreDC.GDI32(00000000,00000000), ref: 00455E6C
Part of subcall function 00455D50: EndPaint.USER32(00000000,?), ref: 00455EA9

EndPaint.USER32(?,?), ref: 0043EDE0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00441160, Relevance: 9.1, APIs: 6, Instructions: 125 Total matches: 196

Similarity

Total matches: 196
API ID: ExcludeClipRectFillRectGetStockObjectRestoreDCSaveDCSetBkColor
String ID:
API String ID: 3049133588-0
Opcode ID: d6019f6cee828ac7391376ab126a0af33bb7a71103bbd3b8d69450c96d22d854
Instruction ID: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c
Opcode Fuzzy Hash: 54012444004F6253F4AB098428E7FA56083F721791CE4FF310786616C34A74615BAA07
Instruction Fuzzy Hash: 313edbfd4eae7fb97a603223bff4bddf7e6010aa9c182f63e3c1730006eb0b2c

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

SaveDC.GDI32(?), ref: 004411AD
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00441234
GetStockObject.GDI32(00000004), ref: 00441256
FillRect.USER32(00000000,?,00000000), ref: 0044126F

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(00000000,00000000), ref: 004412BA

Part of subcall function 0042535C: FillRect.USER32(?,00000000,00000000), ref: 00425385

RestoreDC.GDI32(00000000,?), ref: 004412E5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426564, Relevance: 9.1, APIs: 6, Instructions: 84 Total matches: 3298

Similarity

Total matches: 3298
API ID: GetDeviceCapsGetSystemMetrics$GetDCReleaseDC
String ID:
API String ID: 3173458388-0
Opcode ID: fd9f4716da230ae71bf1f4ec74ceb596be8590d72bfe1d7677825fa15454f496
Instruction ID: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d
Opcode Fuzzy Hash: 0CF09E4906CDE0A230E245C41213F6290C28E85DA1CCD2F728175646EB900A900BB68A
Instruction Fuzzy Hash: 76208f8db54bfa31a4e946745ab37a866a8afca9cd7e1400b1f436bf5add317d

APIs

GetSystemMetrics.USER32(0000000B), ref: 004265B2
GetSystemMetrics.USER32(0000000C), ref: 004265BE
GetDC.USER32(00000000), ref: 004265DA
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00426601
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042660E
ReleaseDC.USER32(00000000,00000000), ref: 00426647

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004269DC, Relevance: 9.1, APIs: 6, Instructions: 65 Total matches: 3081window

Similarity

Total matches: 3081
API ID: SelectPalette$CreateCompatibleDCDeleteDCGetDIBitsRealizePalette
String ID:
API String ID: 940258532-0
Opcode ID: c5678bed85b02f593c88b8d4df2de58c18800a354d7fb4845608846d7bc0f30b
Instruction ID: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194
Opcode Fuzzy Hash: BCE0864D058EF36F1875B08C25D267100C0C9A25D0917BB6151282339B8F09B42FE553
Instruction Fuzzy Hash: 1ef2127f57e3363233410af19b5b849375c74c4ba300dae04c6fe43ba8fa3194

APIs

Part of subcall function 00426888: GetObjectA.GDI32(?,00000054), ref: 0042689C

CreateCompatibleDC.GDI32(00000000), ref: 004269FE
SelectPalette.GDI32(?,?,00000000), ref: 00426A1F
RealizePalette.GDI32(?), ref: 00426A2B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00426A42
SelectPalette.GDI32(?,00000000,00000000), ref: 00426A6A
DeleteDC.GDI32(?), ref: 00426A73

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426210, Relevance: 9.1, APIs: 6, Instructions: 56 Total matches: 3064window

Similarity

Total matches: 3064
API ID: SelectObject$CreateCompatibleDCCreatePaletteDeleteDCGetDIBColorTable
String ID:
API String ID: 2522673167-0
Opcode ID: 8f0861977a40d6dd0df59c1c8ae10ba78c97ad85d117a83679491ebdeecf1838
Instruction ID: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265
Opcode Fuzzy Hash: 23E0CD8BABB4E08A797B9EA40440641D28F874312DF4347525731780E7DE0972EBFD9D
Instruction Fuzzy Hash: 4b3d75bc9a3bdaae834693c94b794c37f461797e6d49a6e30cc048c0fd247265

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00426229
SelectObject.GDI32(00000000,00000000), ref: 00426232
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00426246
SelectObject.GDI32(00000000,00000000), ref: 00426252
DeleteDC.GDI32(00000000), ref: 00426258
CreatePalette.GDI32 ref: 0042629F

Part of subcall function 00426178: GetDC.USER32(00000000), ref: 00426190
Part of subcall function 00426178: GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
Part of subcall function 00426178: GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
Part of subcall function 00426178: ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004258EC, Relevance: 9.0, APIs: 6, Instructions: 43 Total matches: 3205

Similarity

Total matches: 3205
API ID: SetBkColorSetBkMode$SelectObjectUnrealizeObject
String ID:
API String ID: 865388446-0
Opcode ID: ffaa839b37925f52af571f244b4bcc9ec6d09047a190f4aa6a6dd435522a71e3
Instruction ID: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d
Opcode Fuzzy Hash: 04D09E594221F71A98E8058442D7D520586497D532DAF3B51063B173F7F8089A05D9FC
Instruction Fuzzy Hash: 22f404987281ce44786b72f89e0b0399fc0c49a46c1cc60abb0afa49cd2d829d

APIs

Part of subcall function 00424FEC: CreateBrushIndirect.GDI32(?), ref: 00425097

UnrealizeObject.GDI32(00000000), ref: 004258F8
SelectObject.GDI32(?,00000000), ref: 0042590A
SetBkColor.GDI32(?,00000000), ref: 0042592D
SetBkMode.GDI32(?,00000002), ref: 00425938

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

SetBkColor.GDI32(?,00000000), ref: 00425953
SetBkMode.GDI32(?,00000001), ref: 0042595E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042A930, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112 Total matches: 272window

Similarity

Total matches: 272
API ID: CreateHalftonePaletteDeleteObjectGetDCReleaseDC
String ID: (
API String ID: 5888407-3887548279
Opcode ID: 4e22601666aff46a46581565b5bf303763a07c2fd17868808ec6dd327d665c82
Instruction ID: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620
Opcode Fuzzy Hash: 79019E5241CC6117F8D7A6547852F732644AB806A5C80FB707B69BA8CFAB85610EB90B
Instruction Fuzzy Hash: f57f3c124764741b0e8e00b5455ad9be4a6e3969f543885727e4b1f2e22c0620

APIs

GetDC.USER32(00000000), ref: 0042A9EC
CreateHalftonePalette.GDI32(00000000), ref: 0042A9F9
ReleaseDC.USER32(00000000,00000000), ref: 0042AA08
DeleteObject.GDI32(00000000), ref: 0042AA76

Strings

(, xrefs: 0042A9A3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048DA48, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102 Total matches: 32

Similarity

Total matches: 32
API ID: Netbios
String ID: %.2x-%.2x-%.2x-%.2x-%.2x-%.2x$3$memory allocation failed!
API String ID: 544444789-2654533857
Opcode ID: 22deb5ba4c8dd5858e69645675ac88c4b744798eed5cc2a6ae80ae5365d1f156
Instruction ID: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5
Opcode Fuzzy Hash: FC0145449793E233D2635E086C60F6823228F41731FC96B56863A557DC1F09420EF26F
Instruction Fuzzy Hash: 205d53b38d78d2d0723284a20418f6a6cc2e9f6e34ee92e133a3f4b1a01c78c5

APIs

Netbios.NETAPI32(00000032), ref: 0048DA8A
Netbios.NETAPI32(00000033), ref: 0048DB01

Strings

3, xrefs: 0048DACB
memory allocation failed!, xrefs: 0048DAEB
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x, xrefs: 0048DBA0

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EA7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50 Total matches: 198thread

Similarity

Total matches: 198
API ID: FindWindowExGetCurrentThreadIdGetWindowThreadProcessIdIsWindow
String ID: OleMainThreadWndClass
API String ID: 201132107-3883841218
Opcode ID: cdbacb71e4e8a6832b821703e69153792bbbb8731c9381be4d3b148a6057b293
Instruction ID: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7
Opcode Fuzzy Hash: F8E08C9266CC1095C039EA1C7A2237A3548B7D24E9ED4DB747BEB2716CEF00022A7780
Instruction Fuzzy Hash: 62358f18f5a79d764869bf2b093b0b3ccaeb62bda00a46bd1094c38cdaeeb6b7

APIs

Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00000000,00403029), ref: 004076AD
Part of subcall function 00407688: TlsGetValue.KERNEL32(00000000,00403029), ref: 004076BE

IsWindow.USER32(?), ref: 0042EA99
FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

Strings

OleMainThreadWndClass, xrefs: 0042EAC3

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434AE4, Relevance: 7.7, APIs: 5, Instructions: 168 Total matches: 2874

Similarity

Total matches: 2874
API ID: DrawTextOffsetRect$DrawEdge
String ID:
API String ID: 1230182654-0
Opcode ID: 4033270dfa35f51a11e18255a4f5fd5a4a02456381e8fcea90fa62f052767fcc
Instruction ID: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663
Opcode Fuzzy Hash: A511CB01114D5A93E431240815A7FEF1295FBC1A9BCD4BB71078636DBB2F481017EA7B
Instruction Fuzzy Hash: 6b9e5ef3b45a4a7d0cb501c9f56a29ead01efbe1e1581f942ef4c6a165ab8663

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00434BB3
OffsetRect.USER32(?,00000001,00000001), ref: 00434C04
DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434C3D
OffsetRect.USER32(?,000000FF,000000FF), ref: 00434C4A

Part of subcall function 00424230: GetSysColor.USER32(?), ref: 0042423A

DrawTextA.USER32(00000000,00000000,?,?,?), ref: 00434CB5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004455EC, Relevance: 7.6, APIs: 5, Instructions: 109 Total matches: 230

Similarity

Total matches: 230
API ID: ShowOwnedPopupsShowWindow$EnumWindows
String ID:
API String ID: 1268429734-0
Opcode ID: 27bb45b2951756069d4f131311b8216febb656800ffc3f7147a02f570a82fa35
Instruction ID: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc
Opcode Fuzzy Hash: 70012B5524E87325E2756D54B01C765A2239B0FF08CE6C6654AAE640F75E1E0132F78D
Instruction Fuzzy Hash: 9fcd346d84b20b825e2aa57904f9d862c99c261ca4e9c2372311ae46ca22febc

APIs

EnumWindows.USER32(00445518,00000000), ref: 00445620
ShowWindow.USER32(?,00000000), ref: 00445655
ShowOwnedPopups.USER32(00000000,?), ref: 00445684
ShowWindow.USER32(?,00000005), ref: 004456EA
ShowOwnedPopups.USER32(00000000,?), ref: 00445719

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EB3C, Relevance: 7.6, APIs: 5, Instructions: 86 Total matches: 211window

Similarity

Total matches: 211
API ID: DispatchMessageMsgWaitForMultipleObjectsExPeekMessageTranslateMessageWaitForMultipleObjectsEx
String ID:
API String ID: 1615661765-0
Opcode ID: ed928f70f25773e24e868fbc7ee7d77a1156b106903410d7e84db0537b49759f
Instruction ID: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2
Opcode Fuzzy Hash: DDF05C09614F1D16D8BB88644562B1B2144AB42397C26BFA5529EE3B2D6B18B00AF640
Instruction Fuzzy Hash: 55a40452e6c929106030349fb2bc1598364ce2fc4e781c2a916e8f687fa462b2

APIs

Part of subcall function 0042EA7C: IsWindow.USER32(?), ref: 0042EA99
Part of subcall function 0042EA7C: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042EACA
Part of subcall function 0042EA7C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042EB03
Part of subcall function 0042EA7C: GetCurrentThreadId.KERNEL32(?,00000000,00000000,00000000,OleMainThreadWndClass,00000000,?,?,00000000,0042EB52), ref: 0042EB0A

MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042EB6A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042EB85
TranslateMessage.USER32(?), ref: 0042EB92
DispatchMessageA.USER32(?), ref: 0042EB9B
WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042EBC7

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00434924, Relevance: 7.6, APIs: 5, Instructions: 77 Total matches: 2509window

Similarity

Total matches: 2509
API ID: GetMenuItemCount$DestroyMenuGetMenuStateRemoveMenu
String ID:
API String ID: 4240291783-0
Opcode ID: 32de4ad86fdb0cc9fc982d04928276717e3a5babd97d9cb0bc7430a9ae97d0ca
Instruction ID: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526
Opcode Fuzzy Hash: 6BE02BD3455E4703F425AB0454E3FA913C4AF51716DA0DB1017359D07B1F26501FE9F4
Instruction Fuzzy Hash: cf6877f9ad33401498591f2bf6e6844a5ca439f59e89e6fdb213c81f0c010526

APIs

Part of subcall function 00434A54: CreatePopupMenu.USER32 ref: 00434A6F
Part of subcall function 00434A54: CreateMenu.USER32 ref: 00434A79

GetMenuItemCount.USER32(00000000), ref: 0043495C
GetMenuState.USER32(00000000,-00000001,00000400), ref: 0043497D
RemoveMenu.USER32(00000000,-00000001,00000400), ref: 00434994
GetMenuItemCount.USER32(00000000), ref: 004349C4
DestroyMenu.USER32(00000000), ref: 004349D1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00443430, Relevance: 7.6, APIs: 5, Instructions: 61 Total matches: 3003

Similarity

Total matches: 3003
API ID: SetWindowLong$GetWindowLongRedrawWindowSetLayeredWindowAttributes
String ID:
API String ID: 3761630487-0
Opcode ID: 9c9d49d1ef37d7cb503f07450c0d4a327eb9b2b4778ec50dcfdba666c10abcb3
Instruction ID: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880
Opcode Fuzzy Hash: 6AE06550D41703A1D48114945B63FBBE8817F8911DDE5C71001BA29145BA88A192FF7B
Instruction Fuzzy Hash: c6d9d2cd31c241e86b7d90949bf59b5cad1e27a78e0073c3828bbb8e9ec94880

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00443464
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00443496
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004434CF
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 004434E8
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004434FE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00426178, Relevance: 7.6, APIs: 5, Instructions: 55 Total matches: 3070window

Similarity

Total matches: 3070
API ID: GetPaletteEntries$GetDCGetDeviceCapsReleaseDC
String ID:
API String ID: 1267235336-0
Opcode ID: 49f91625e0dd571c489fa6fdad89a91e8dd79834746e98589081ca7a3a4fea17
Instruction ID: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836
Opcode Fuzzy Hash: 7CD0C2AA1389DBD6BD6A17842352A4553478983B09D126B32EB0822872850C5039FD1F
Instruction Fuzzy Hash: 99a54379eaad583cec4a72368fae6679895edeccfa5c263ff7ce33739fcbd836

APIs

GetDC.USER32(00000000), ref: 00426190
GetDeviceCaps.GDI32(?,00000068), ref: 004261AC
GetPaletteEntries.GDI32(48080787,00000000,00000008,?), ref: 004261C4
GetPaletteEntries.GDI32(48080787,00000008,00000008,?), ref: 004261DC
ReleaseDC.USER32(00000000,?), ref: 004261F8

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B90, Relevance: 7.5, APIs: 5, Instructions: 25 Total matches: 2957synchronizationthread

Similarity

Total matches: 2957
API ID: CloseHandleGetCurrentThreadIdSetEventUnhookWindowsHookExWaitForSingleObject
String ID:
API String ID: 3442057731-0
Opcode ID: bc40a7f740796d43594237fc13166084f8c3b10e9e48d5138e47e82ca7129165
Instruction ID: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1
Opcode Fuzzy Hash: E9C01296B2C9B0C1EC809712340202800B20F8FC590E3DE0509D7363005315D73CD92C
Instruction Fuzzy Hash: b5c13f002e9f1e60585bb6c1f93bff0d42f1f78201459665af570109268017e1

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00444B9F
SetEvent.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBA
GetCurrentThreadId.KERNEL32(00000000,004474C2,?,00447333), ref: 00444BBF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00444BD4
CloseHandle.KERNEL32(00000000), ref: 00444BDF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040D670, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148 Total matches: 3566thread

Similarity

Total matches: 3566
API ID: GetThreadLocale
String ID: eeee$ggg$yyyy
API String ID: 1366207816-1253427255
Opcode ID: 86fa1fb3c1f239f42422769255d2b4db7643f856ec586a18d45da068e260c20e
Instruction ID: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436
Opcode Fuzzy Hash: 3911BD8712648363D5722818A0D2BE3199C5703CA4EA89742DDB6356EA7F09440BEE6D
Instruction Fuzzy Hash: 852c853d6c3635d1b7fd87cbcc1e50d00c4614cefae889aa94e8c2d87f2dd436

APIs

GetThreadLocale.KERNEL32(?,00000000,0040D840,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040D69F

Part of subcall function 0040D334: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040D352

Strings

eeee, xrefs: 0040D7AE
yyyy, xrefs: 0040D795
ggg, xrefs: 0040D785

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046F5E4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72 Total matches: 26window

Similarity

Total matches: 26
API ID: GetWindowPlacementGetWindowTextIsWindowVisible
String ID: ,
API String ID: 41250382-3772416878
Opcode ID: d98ece8bad481757d152ad7594c705093dec75069e9b5f9ec314c4d81001c558
Instruction ID: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6
Opcode Fuzzy Hash: DBE0ABC68782816BD907FDCCB0207E6E1E4779394CC8CBB32C606396E44D92000DCE69
Instruction Fuzzy Hash: 1b57460ef1e40e225087e69e669dd845b9a56fe4f5442601256b4cdd4d0865f6

APIs

GetWindowTextA.USER32(?,00000000,?), ref: 0046F634
GetWindowPlacement.USER32(?,0000002C), ref: 0046F64F
IsWindowVisible.USER32(?), ref: 0046F655

Strings

,, xrefs: 0046F643

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00485150, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64 Total matches: 24registry

Similarity

Total matches: 24
API ID: RegCloseKeyRegOpenKeyRegSetValueEx
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 551737238-1428018034
Opcode ID: 03d06dea9a4ea131a8c95bd501c85e7d0b73df60e0a15cb9a2dd1ac9fe2d308f
Instruction ID: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d
Opcode Fuzzy Hash: 15E04F8517EAE2ABA996B5C838866F7609A9713790F443FB19B742F18B4F04601CE243
Instruction Fuzzy Hash: 259808f008cd29689f11a183a475b32bbb219f99a0f83129d86369365ce9f44d

APIs

RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 00485199
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851C6
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,004851DE,?,00000000,0048520A), ref: 004851CF

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0048518F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 004606CC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59 Total matches: 75network

Similarity

Total matches: 75
API ID: gethostbynameinet_addr
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 1594361348-464342551
Opcode ID: 7e59b623bdbf8c44b8bb58eaa9a1d1e7bf08be48a025104469b389075155053e
Instruction ID: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047
Opcode Fuzzy Hash: 62E0D84049F633C28038E685914DF713041C71A2DEF8F9352022171EF72B096986AE3F
Instruction Fuzzy Hash: 136b4077bafd549567cd44b702fc781b2d0bdeab701521d256d746d30229b047

APIs

inet_addr.WSOCK32(00000000), ref: 004606F6
gethostbyname.WSOCK32(00000000), ref: 00460711

Strings

%d.%d.%d.%d, xrefs: 0046075E
0.0.0.0, xrefs: 0046076C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0043804C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58 Total matches: 1778window

Similarity

Total matches: 1778
API ID: DrawMenuBarGetMenuItemInfoSetMenuItemInfo
String ID: P
API String ID: 41131186-3110715001
Opcode ID: ea0fd48338f9c30b58f928f856343979a74bbe7af1b6c53973efcbd39561a32d
Instruction ID: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe
Opcode Fuzzy Hash: C8E0C0C1064C1301CCACB4938564F010221FB8B33CDD1D3C051602419A9D0080D4BFFA
Instruction Fuzzy Hash: eec9c326b6739cd85be96541f469f9b321a478421ae7c7aca53e0c239bd8eefe

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0043809A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004380EC
DrawMenuBar.USER32(00000000), ref: 004380F9

Strings

P, xrefs: 0043808C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0048C3E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47 Total matches: 32libraryloader

Similarity

Total matches: 32
API ID: FreeLibraryGetProcAddressLoadLibrary
String ID: _DCEntryPoint
API String ID: 2438569322-2130044969
Opcode ID: ab6be07d423f29e2cef18b5ad5ff21cef58c0bd0bd6b8b884c8bb9d8d911d098
Instruction ID: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db
Opcode Fuzzy Hash: B9D0C2568747D413C405200439407D90CF1AF8719F9967FA145303FAD76F09801B7527
Instruction Fuzzy Hash: 3cba8b520013dd4b177f9c32272ffd10ecf318a20762e1e9fa694429cf7511db

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0048C431
GetProcAddress.KERNEL32(00000000,_DCEntryPoint,00000000,0048C473), ref: 0048C442
FreeLibrary.KERNEL32(00000000), ref: 0048C44A

Strings

_DCEntryPoint, xrefs: 0048C43C

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046D36C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36 Total matches: 62

Similarity

Total matches: 62
API ID: ShellExecute
String ID: /k $[FILE]$open
API String ID: 2101921698-3009165984
Opcode ID: 68a05d7cd04e1a973318a0f22a03b327e58ffdc8906febc8617c9713a9b295c3
Instruction ID: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf
Opcode Fuzzy Hash: FED0C75427CD9157FA017F8439527E61057E747281D481BE285587A0838F8D40659312
Instruction Fuzzy Hash: d64fb813625eb261c687c2654e5203d30067de4ace02db37851750b48dd66fbf

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0046D3B9

Strings

/k , xrefs: 0046D39A
cmd.exe, xrefs: 0046D3AD
open, xrefs: 0046D3B2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042F9E4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36 Total matches: 35libraryloader

Similarity

Total matches: 35
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
API String ID: 3291547091-2956373744
Opcode ID: cc41b93bac7ef77e5c5829331b5f2d91e10911707bc9e4b3bb75284856726923
Instruction ID: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7
Opcode Fuzzy Hash: D0D0A7E4C08511B0F0509405703078241DE1BC5EEE8860E90150E533621B9FB827F65C
Instruction Fuzzy Hash: 611aa7263024d751f308fb3d57e5af9092bc5a71ac2d52dead79affe02cb0da7

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FA0E
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea,?,?,?,00447F98), ref: 0042FA31

Strings

DWMAPI.DLL, xrefs: 0042FA09
DwmExtendFrameIntoClientArea, xrefs: 0042FA26

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042FA80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31 Total matches: 41libraryloader

Similarity

Total matches: 41
API ID: GetProcAddressLoadLibrary
String ID: DWMAPI.DLL$DwmIsCompositionEnabled
API String ID: 3291547091-2128843254
Opcode ID: 903d86e3198bc805c96c7b960047695f5ec88b3268c29fda1165ed3f3bc36d22
Instruction ID: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703
Opcode Fuzzy Hash: E3D0C9A5C0865175F571D509713068081FA23D6E8A8824998091A123225FAFB866F55C
Instruction Fuzzy Hash: 6cdb37f6684ca359e010f835ed4616ce0f7732468e0f2b98b5f1960530870703

APIs

LoadLibraryA.KERNEL32(DWMAPI.DLL), ref: 0042FAA6
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled,?,?,0042FB22,?,00447EFB), ref: 0042FAC9

Strings

DwmIsCompositionEnabled, xrefs: 0042FABE
DWMAPI.DLL, xrefs: 0042FAA1

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040F4AC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16 Total matches: 3137libraryloader

Similarity

Total matches: 3137
API ID: GetModuleHandleGetProcAddress
String ID: GetDiskFreeSpaceExA$[FILE]
API String ID: 1063276154-3559590856
Opcode ID: c33e0a58fb58839ae40c410e06ae8006a4b80140bf923832b2d6dbd30699e00d
Instruction ID: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc
Opcode Fuzzy Hash: D8B09224E0D54114C4B4560930610013C82738A10E5019A820A1B720AA7CCEEA29603A
Instruction Fuzzy Hash: 9d6a6771c1a736381c701344b3d7b8e37c98dfc5013332f68a512772380f22cc

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0048F10B,00000000,0048F11E), ref: 0040F4C3

Strings

GetDiskFreeSpaceExA, xrefs: 0040F4BD
kernel32.dll, xrefs: 0040F4AD

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042EC20, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15 Total matches: 48libraryloader

Similarity

Total matches: 48
API ID: GetModuleHandleGetProcAddress
String ID: CoWaitForMultipleHandles$[FILE]
API String ID: 1063276154-3065170753
Opcode ID: c6d715972c75e747e6d7ad7506eebf8b4c41a2b527cd9bc54a775635c050cd0f
Instruction ID: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815
Opcode Fuzzy Hash: 4DB012F9A0C9210CE55F44043163004ACF031C1B5F002FD461637827803F86F437631D
Instruction Fuzzy Hash: d81c7de5bd030b21af5c52a75e3162b073d887a4de1eb555b8966bd0fb9ec815

APIs

GetModuleHandleA.KERNEL32(ole32.dll,?,0042EC9A), ref: 0042EC26
GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles,ole32.dll,?,0042EC9A), ref: 0042EC37

Strings

CoWaitForMultipleHandles, xrefs: 0042EC31
ole32.dll, xrefs: 0042EC21

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00411444, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: 954335058d5fe722e048a186d9110509c96c1379a47649d8646f5b9e1a2e0a0b
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: 9D014B0327CAAA867021BB004882FA0D2D4DE52A369CD8774DB71593F62780571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004114F3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041150F
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00411586
VariantClear.OLEAUT32(?), ref: 004115AF

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00428848, Relevance: 6.1, APIs: 4, Instructions: 83 Total matches: 2913window

Similarity

Total matches: 2913
API ID: CreateCompatibleDCRealizePaletteSelectObjectSelectPalette
String ID:
API String ID: 3833105616-0
Opcode ID: 7f49dee69bcd38fda082a6c54f39db5f53dba16227df2c2f18840f8cf7895046
Instruction ID: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2
Opcode Fuzzy Hash: C0F0E5870BCED49BFCA7D484249722910C2F3C08DFC80A3324E55676DB9604B127A20B
Instruction Fuzzy Hash: 29ada319a87402adac0eebea4d3b1ef9d21249ffa1523adf5174efdc3c3390a2

APIs

Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253D8
Part of subcall function 004253D0: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253E5
Part of subcall function 004253D0: EnterCriticalSection.KERNEL32(00000038,00499A30,00499A30,00000000,00423D82,00000000,00423DE1), ref: 004253EE

Part of subcall function 00429D5C: GetDC.USER32(00000000), ref: 00429DB2
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00429DC7
Part of subcall function 00429D5C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00429DD1
Part of subcall function 00429D5C: CreateHalftonePalette.GDI32(00000000), ref: 00429DF5
Part of subcall function 00429D5C: ReleaseDC.USER32(00000000,00000000), ref: 00429E00

CreateCompatibleDC.GDI32(00000000), ref: 0042889D
SelectObject.GDI32(00000000,?), ref: 004288B6
SelectPalette.GDI32(00000000,?,000000FF), ref: 004288DF
RealizePalette.GDI32(00000000), ref: 004288EB

Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00000038,00000000,00423DD2,00423DE8), ref: 0042560F
Part of subcall function 00425608: EnterCriticalSection.KERNEL32(00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425619
Part of subcall function 00425608: LeaveCriticalSection.KERNEL32(00499A30,00499A30,00000038,00000000,00423DD2,00423DE8), ref: 00425626

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00438710, Relevance: 6.1, APIs: 4, Instructions: 72 Total matches: 3034window

Similarity

Total matches: 3034
API ID: GetMenuItemIDGetMenuStateGetMenuStringGetSubMenu
String ID:
API String ID: 4177512249-0
Opcode ID: ecc45265f1f2dfcabc36b66648e37788e83d83d46efca9de613be41cbe9cf08e
Instruction ID: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d
Opcode Fuzzy Hash: BEE020084B1FC552541F0A4A1573F019140E142CB69C3F3635127565B31A255213F776
Instruction Fuzzy Hash: 031098d8bc9f8c4502b9092f9a963f5cf98d6534faedec0701fd9f01f8ff2c8d

APIs

GetMenuState.USER32(?,?,?), ref: 00438733
GetSubMenu.USER32(?,?), ref: 0043873E
GetMenuItemID.USER32(?,?), ref: 00438757
GetMenuStringA.USER32(?,?,?,?,?), ref: 004387AA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445518, Relevance: 6.1, APIs: 4, Instructions: 71 Total matches: 218threadwindow

Similarity

Total matches: 218
API ID: GetCurrentProcessIdGetWindowGetWindowThreadProcessIdIsWindowVisible
String ID:
API String ID: 3659984437-0
Opcode ID: 6a2b99e3a66d445235cbeb6ae27631a3038d73fb4110980a8511166327fee1f0
Instruction ID: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8
Opcode Fuzzy Hash: 82E0AB21B2AA28AAE0971541B01939130B3F74ED9ACC0A3626F8594BD92F253809E74F
Instruction Fuzzy Hash: 167edc35b7d867a8ee47ed101c85fcd54351fb074b2e8024de8cb42b4077e0b8

APIs

GetWindow.USER32(?,00000004), ref: 00445528
GetWindowThreadProcessId.USER32(?,?), ref: 00445542
GetCurrentProcessId.KERNEL32(?,00000004), ref: 0044554E
IsWindowVisible.USER32(?), ref: 0044559E

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B29C, Relevance: 6.1, APIs: 4, Instructions: 58 Total matches: 214window

Similarity

Total matches: 214
API ID: DeleteObject$GetIconInfoGetObject
String ID:
API String ID: 3019347292-0
Opcode ID: d6af2631bec08fa1cf173fc10c555d988242e386d2638a025981433367bbd086
Instruction ID: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375
Opcode Fuzzy Hash: F7D0C283228DE2F7ED767D983A636154085F782297C6423B00444730860A1E700C6A03
Instruction Fuzzy Hash: 7fbc048e39f9dd6e6db5f40543e5f161b145f4c2f282fe4a446dbd8e1941d375

APIs

GetIconInfo.USER32(?,?), ref: 0042B2BD
GetObjectA.GDI32(?,00000018,?), ref: 0042B2DE
DeleteObject.GDI32(?), ref: 0042B30A
DeleteObject.GDI32(?), ref: 0042B313

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00445334, Relevance: 6.1, APIs: 4, Instructions: 56 Total matches: 2678

Similarity

Total matches: 2678
API ID: EnumWindowsGetWindowGetWindowLongSetWindowPos
String ID:
API String ID: 1660305372-0
Opcode ID: c3d012854d63b95cd89c42a77d529bdce0f7c5ea0abc138a70ce1ca7fb0ed027
Instruction ID: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a
Opcode Fuzzy Hash: 65E07D89179DA114F52124400911F043342F3D731BD1ADF814246283E39B8522BBFB8C
Instruction Fuzzy Hash: 7947c1ee61b3a945b06f79495752ea495d4a1fb36974d9d540e15b721e8a8e8a

APIs

EnumWindows.USER32(Function_000452BC), ref: 0044535E
GetWindow.USER32(?,00000003), ref: 00445376
GetWindowLongA.USER32(00000000,000000EC), ref: 00445383
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213), ref: 004453C2

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A404, Relevance: 6.1, APIs: 4, Instructions: 54 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: c8f11cb17e652d385e55d6399cfebc752614be738e382b5839b86fc73ea86396
Instruction ID: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b
Opcode Fuzzy Hash: 32D02B030B309613452F157D0441F8D7032488F01A96C2F8C37B77ABA68505605FFE4C
Instruction Fuzzy Hash: 2e292ce978d1af3d415e66e5b982e49a92b9d84a3d1479b7871fac408542b61b

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040A415
GetLastError.KERNEL32(?,?), ref: 0040A41E
FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A434
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A443

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0041C2D4, Relevance: 6.1, APIs: 4, Instructions: 51 Total matches: 4966

Similarity

Total matches: 4966
API ID: FindResourceLoadResourceLockResourceSizeofResource
String ID:
API String ID: 3653323225-0
Opcode ID: 735dd83644160b8dcfdcb5d85422b4d269a070ba32dbf009b7750e227a354687
Instruction ID: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd
Opcode Fuzzy Hash: 4BD0A90A2268C100582C2C80002BBC610830A5FE226CC27F902231BBC32C026024F8C4
Instruction Fuzzy Hash: 615d07274e164157e3e11310b2f920de543c2506028dc961f8b3aaf64374c2fd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041C2EB
LoadResource.KERNEL32(?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C305
SizeofResource.KERNEL32(?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000,?), ref: 0041C31F
LockResource.KERNEL32(0041BDF4,00000000,?,0041C370,?,0041C370,?,?,?,00417C88,?,00000001,00000000,?,0041C216,00000000), ref: 0041C329

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040A3AC, Relevance: 6.0, APIs: 4, Instructions: 40 Total matches: 51time

Similarity

Total matches: 51
API ID: DosDateTimeToFileTimeGetLastErrorLocalFileTimeToFileTimeSetFileTime
String ID:
API String ID: 3095628216-0
Opcode ID: dc7fe683cb9960f76d0248ee31fd3249d04fe76d6d0b465a838fe0f3e66d3351
Instruction ID: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3
Opcode Fuzzy Hash: F2C0803B165157D71F4F7D7C600375011F0D1778230955B614E019718D4E05F01EFD86
Instruction Fuzzy Hash: c3399427300e97a0bf23ec08d7f996c3ab3c22a86554ee3675cd901d102723b3

APIs

DosDateTimeToFileTime.KERNEL32(?,0048C37F,?), ref: 0040A3C9
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DA
SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3EC
GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F5

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00484388, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 39

Similarity

Total matches: 39
API ID: CloseHandleGetExitCodeProcessOpenProcessTerminateProcess
String ID:
API String ID: 2790531620-0
Opcode ID: 2f64381cbc02908b23ac036d446d8aeed05bad4df5f4c3da9e72e60ace7043ae
Instruction ID: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91
Opcode Fuzzy Hash: 5DC01285079EAB7B643571D825437E14084D5026CCB943B7185045F10B4B09B43DF053
Instruction Fuzzy Hash: e830ae185e03603e72926048c7063e7464f7d8c572e36ef4319c937be7ad0c91

APIs

OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00484393
GetExitCodeProcess.KERNEL32(00000000,?), ref: 004843B7
TerminateProcess.KERNEL32(00000000,?,00000000,004843E0,?,00000001,00000000,00000000), ref: 004843C4
CloseHandle.KERNEL32(00000000), ref: 004843DA

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0044E254, Relevance: 6.0, APIs: 4, Instructions: 37 Total matches: 5751thread

Similarity

Total matches: 5751
API ID: GetCurrentProcessIdGetPropGetWindowThreadProcessIdGlobalFindAtom
String ID:
API String ID: 142914623-0
Opcode ID: 055fee701d7a26f26194a738d8cffb303ddbdfec43439e02886190190dab2487
Instruction ID: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b
Opcode Fuzzy Hash: 0AC02203AD2E23870E4202F2E840907219583DF8720CA370201B0E38C023F0461DFF0C
Instruction Fuzzy Hash: e9689aead5eaf442059aa2d418bca5d111d08576717f72d926dd49825766799b

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044E261
GetCurrentProcessId.KERNEL32(00000000,?,?,-00000010,00000000,0044E2CC,-000000F7,?,00000000,0044DE86,?,-00000010,?), ref: 0044E26A
GlobalFindAtomA.KERNEL32(00000000), ref: 0044E27F
GetPropA.USER32(00000000,00000000), ref: 0044E296

Part of subcall function 0044D2C0: GetWindowThreadProcessId.USER32(?), ref: 0044D2C6
Part of subcall function 0044D2C0: GetCurrentProcessId.KERNEL32(?,?,?,?,0044D346,?,00000000,?,004387ED,?,004378A9), ref: 0044D2CF
Part of subcall function 0044D2C0: SendMessageA.USER32(?,0000C1C7,00000000,00000000), ref: 0044D2E4

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00444B1C, Relevance: 6.0, APIs: 4, Instructions: 34 Total matches: 2966thread

Similarity

Total matches: 2966
API ID: CreateEventCreateThreadGetCurrentThreadIdSetWindowsHookEx
String ID:
API String ID: 2240124278-0
Opcode ID: 54442a1563c67a11f9aee4190ed64b51599c5b098d388fde65e2e60bb6332aef
Instruction ID: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32
Opcode Fuzzy Hash: 37D0C940B0DE75C4F860630138017A90633234BF1BCD1C316480F76041C6CFAEF07A28
Instruction Fuzzy Hash: 25b62da08cecef26c395931cea73ffe9b62582a88be241cbb158b3c9ea13de32

APIs

GetCurrentThreadId.KERNEL32(?,00447A69,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444B34
SetWindowsHookExA.USER32(00000003,00444AD8,00000000,00000000), ref: 00444B44
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00447A69,?,?,?,?,?,?,?,?,?,?), ref: 00444B5F
CreateThread.KERNEL32(00000000,000003E8,00444A7C,00000000,00000000), ref: 00444B83

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042B438, Relevance: 6.0, APIs: 4, Instructions: 29 Total matches: 789

Similarity

Total matches: 789
API ID: GetDCGetTextMetricsReleaseDCSelectObject
String ID:
API String ID: 1769665799-0
Opcode ID: db772d9cc67723a7a89e04e615052b16571c955da3e3b2639a45f22e65d23681
Instruction ID: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3
Opcode Fuzzy Hash: DCC02B935A2888C32DE51FC0940084317C8C0E3A248C62212E13D400727F0C007CBFC0
Instruction Fuzzy Hash: 4ed7beb7f3460283037be9a07201a0451c06436de89e8b886a4f69e721df3de3

APIs

GetDC.USER32(00000000), ref: 0042B441
SelectObject.GDI32(00000000,018A002E), ref: 0042B453
GetTextMetricsA.GDI32(00000000), ref: 0042B45E
ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042473C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172 Total matches: 108

Similarity

Total matches: 108
API ID: CompareStringCreateFontIndirect
String ID: Default
API String ID: 480662435-753088835
Opcode ID: 55710f22f10b58c86f866be5b7f1af69a0ec313069c5af8c9f5cd005ee0f43f8
Instruction ID: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99
Opcode Fuzzy Hash: F6116A2104DDB067F8B3EC94B64A74A79D1BBC5E9EC00FB303AA57198A0B01500EEB0E
Instruction Fuzzy Hash: ad4a051fb67a15694052d05548e5e2a92b9daedfa5d673be67c756d1cf269a99

APIs

Part of subcall function 00423A1C: EnterCriticalSection.KERNEL32(?,00423A59), ref: 00423A20

CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,00424930,?,00000000,00424958), ref: 0042486B
CreateFontIndirectA.GDI32(?), ref: 0042490D

Part of subcall function 0042B438: GetDC.USER32(00000000), ref: 0042B441
Part of subcall function 0042B438: SelectObject.GDI32(00000000,018A002E), ref: 0042B453
Part of subcall function 0042B438: GetTextMetricsA.GDI32(00000000), ref: 0042B45E
Part of subcall function 0042B438: ReleaseDC.USER32(00000000,00000000), ref: 0042B46F

Part of subcall function 00423A28: LeaveCriticalSection.KERNEL32(-00000008,00423B07,00423B0F), ref: 00423A2C

Strings

Default, xrefs: 00424832, 00424840, 00424841

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0046E3F0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103 Total matches: 30

Similarity

Total matches: 30
API ID: SHGetPathFromIDListSHGetSpecialFolderLocation
String ID: .LNK
API String ID: 739551631-2547878182
Opcode ID: 6b91e9416f314731ca35917c4d41f2341f1eaddd7b94683245f35c4551080332
Instruction ID: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e
Opcode Fuzzy Hash: 9701B543079EC2A3D9232E512D43BA60129AF11E22F4C77F35A3C3A7D11E500105FA4A
Instruction Fuzzy Hash: e6ae6f63a256f5e8788dfe1c4fce17057cd352befa637d7beb5ae1c0f18a968e

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 0046E44B
SHGetPathFromIDListA.SHELL32(?,?,00000000,00000010,?,00000000,0046E55E), ref: 0046E463

Part of subcall function 0042BE44: CoCreateInstance.OLE32(?,00000000,00000005,0042BF34,00000000), ref: 0042BE8B

Strings

.LNK, xrefs: 0046E4DE

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 00472C70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98 Total matches: 26

Similarity

Total matches: 26
API ID: SetFileAttributes
String ID: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!$drivers\etc\hosts
API String ID: 3201317690-57959411
Opcode ID: de1fcf5289fd0d37c0d7642ff538b0d3acf26fbf7f5b53187118226b7e9f9585
Instruction ID: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc
Opcode Fuzzy Hash: C4012B430F74D723D5173D857800B8922764B4A179D4A77F34B3B796E14E45101BF26D
Instruction Fuzzy Hash: 1f69c6cfd5524e6f1e55c33e322de11738733e7ba85079705839c212502733fc

APIs

Part of subcall function 004719C8: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 004719DF

SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00472DAB,?,00000000,00472DE7), ref: 00472D16

Strings

drivers\etc\hosts, xrefs: 00472CD3, 00472D00
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!, xrefs: 00472D8D

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0040C028, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79 Total matches: 3032thread

Similarity

Total matches: 3032
API ID: GetDateFormatGetThreadLocale
String ID: yyyy
API String ID: 358233383-3145165042
Opcode ID: a9ef5bbd8ef47e5bcae7fadb254d6b5dc10943448e4061dc92b10bb97dc7929c
Instruction ID: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea
Opcode Fuzzy Hash: 09F09E4A0397D3D76802C969D023BC10194EB5A8B2C88B3B1DBB43D7F74C10C40AAF21
Instruction Fuzzy Hash: 3d7ab4add3e8180159f8482215856afc9a1a963464e366b4ca05c92ac214afea

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C116), ref: 0040C0AE
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040C0B4

Strings

yyyy, xrefs: 0040C089

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44 Total matches: 2190

Similarity

Total matches: 2190
API ID: GetSystemMetrics
String ID: MonitorFromPoint
API String ID: 96882338-1072306578
Opcode ID: 666203dad349f535e62b1e5569e849ebaf95d902ba2aa8f549115cec9aadc9dc
Instruction ID: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8
Opcode Fuzzy Hash: 72D09540005C404E9427F505302314050862CD7C1444C0A96073728A4B4BC07837E70C
Instruction Fuzzy Hash: 9e90a3aeaa9df0e76633c437836624889fea8714b6c2508f44f8acb6986c90e8

APIs

GetSystemMetrics.USER32(00000000), ref: 0042E456
GetSystemMetrics.USER32(00000001), ref: 0042E468

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

Strings

MonitorFromPoint, xrefs: 0042E41A

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Function 0042E258, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39 Total matches: 3131

Similarity

Total matches: 3131
API ID: GetSystemMetrics
String ID: GetSystemMetrics
API String ID: 96882338-96882338
Opcode ID: bbc54e4b5041dfa08de2230ef90e8f32e1264c6e24ec09b97715d86cc98d23e9
Instruction ID: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c
Opcode Fuzzy Hash: B4D0A941986AA908E0AF511971A336358D163D2EA0C8C8362308B329EB5741B520AB01
Instruction Fuzzy Hash: 0f8658efeddd6e55a78ccae8e1171a18b18cf63465936e413d8af650fea7b42c

APIs

GetSystemMetrics.USER32(?), ref: 0042E2BA

Part of subcall function 0042E174: GetProcAddress.KERNEL32(76C70000,00000000,00000000,0042E231), ref: 0042E1F3

GetSystemMetrics.USER32(?), ref: 0042E280

Strings

GetSystemMetrics, xrefs: 0042E268

Memory Dump Source

Source File: 00000003.00000002.699224479.00400000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.699370060.00499000.00000040.sdmp
Associated: 00000003.00000002.699381691.0049C000.00000040.sdmp
Associated: 00000003.00000002.699397817.004A3000.00000040.sdmp

Process Name: 66DHL SHIPMENT INFO.exe Analysis ID: 389120

General

Root Process Name:	Regdriver.exe
Process MD5:	C125E5E8896E9043E08493B49C31C0D9
Total matches:	9
Initial Analysis Report:	Open
Initial sample Analysis ID:	389120
Initial sample SHA 256:	3E81EFC218937FCA3B8CA1BEB162BF08B12BF19F508140510C771E9E325FC567
Initial sample name:	66DHL SHIPMENT INF.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A38CC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118 Total matches: 5

Similarity

Total matches: 5
API ID: RtlEnterCriticalSectionRtlLeaveCriticalSection
String ID: (&
API String ID: 3854333733-3465099688
Opcode ID: 898ad51a0c9d3e22183d6d11792c83aca8057f155fadb67522054e2c20e1a51a
Instruction ID: edc885a348b183dc367533f5d8d72323ab3e7d1323dc10f8a53e663030a3451f
Opcode Fuzzy Hash: 42016D47D5EB8E55EC8B05429671FC70584B711329DC6DF570969600E2BF28F106E38C
Instruction Fuzzy Hash: edc885a348b183dc367533f5d8d72323ab3e7d1323dc10f8a53e663030a3451f

APIs

RtlEnterCriticalSection.NTDLL((&), ref: 002A3920
RtlLeaveCriticalSection.NTDLL((&), ref: 002A3A58

Part of subcall function 002A3088: RtlInitializeCriticalSection.NTDLL((&), ref: 002A309E
Part of subcall function 002A3088: RtlEnterCriticalSection.NTDLL((&), ref: 002A30B1
Part of subcall function 002A3088: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,002A313E), ref: 002A30DB
Part of subcall function 002A3088: RtlLeaveCriticalSection.NTDLL((&), ref: 002A3138

Strings

(&, xrefs: 002A391B, 002A3A53

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: DOC000YUT090.exe Analysis ID: 45352

General

Root Process Name:	Regdriver.exe
Process MD5:	68DD38B9F0BBC16EF985BEA78DBFDE51
Total matches:	7
Initial Analysis Report:	Open
Initial sample Analysis ID:	45352
Initial sample SHA 256:	2778DDF8E45C6C9E6D469B7D99EEBB0E063CD2F6B6608956B706EE321FCA8B18
Initial sample name:	DOC000YUT090.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B3578, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 88efacc329da98b75ff5125b54b7f36181cef52c8a101a4a1e939dd31dd53547
Instruction ID: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd
Opcode Fuzzy Hash: BA01475CA3CA5A67CA3B29412D9172504E1DB13D06DDE6B228B75371FF1D00514EF22F
Instruction Fuzzy Hash: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd

APIs

LoadLibraryA.KERNEL32(?), ref: 002B359B
GetProcAddress.KERNEL32(?,?,00000000,002B36DD), ref: 002B35AB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,002B36DD), ref: 002B35CF

Strings

could not be located in the dynamic link library , xrefs: 002B362D, 002B368A
LOADER ERROR, xrefs: 002B3658, 002B36B5
The ordinal , xrefs: 002B3607
The procedure entry point , xrefs: 002B3664
KERNEL32.DLL, xrefs: 002B35CA

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A73E0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: c4f4c0a5877448acea4195335ae71972721fedb06b30048fd636d8133c8981fc
Instruction ID: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb
Opcode Fuzzy Hash: 1C21955D9395C637D88B6E9C188079151A49B2B635FC4CF804BB7A6AE12E90200FB37B
Instruction Fuzzy Hash: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb

APIs

GetSystemDefaultLCID.KERNEL32(00000000,002A7628,?,?,?,?,00000000,00000000,00000000), ref: 002A73FA

Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246

Part of subcall function 002A7274: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287

Strings

m/d/yy, xrefs: 002A74C9
mmmm d, yyyy, xrefs: 002A74EB
:mm, xrefs: 002A75DC
AMPM, xrefs: 002A75C5
:mm:ss, xrefs: 002A75F6

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B2B9C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: 52ff10446c29eb4f2453aa28d8dcca9ce27f261b20a4214b4baa6089c4f2e97f
Instruction ID: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2
Opcode Fuzzy Hash: 5CF0BE831BE0E5EF800377480C4372D04A49787834C943BB6CA79265F42D25C44EE19E
Instruction Fuzzy Hash: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,002B2CB1), ref: 002B2BDF

Part of subcall function 002A71A4: GetLocalTime.KERNEL32(?), ref: 002A71AC

Strings

\user.dat, xrefs: 002B2C2A
\pagefile.sys, xrefs: 002B2C5E

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: Po_No_6111875-22.exe Analysis ID: 46407

General

Root Process Name:	Regdriver.exe
Process MD5:	5FF9678FCE561E1942FD09B7FDFA23A1
Total matches:	7
Initial Analysis Report:	Open
Initial sample Analysis ID:	46407
Initial sample SHA 256:	DB93037951961559422B17BC7FC3D74FD06C9D3ECEAEBE8395515E16CF2A6ED4
Initial sample name:	Po_No_6111875-22.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B3578, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 88efacc329da98b75ff5125b54b7f36181cef52c8a101a4a1e939dd31dd53547
Instruction ID: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd
Opcode Fuzzy Hash: BA01475CA3CA5A67CA3B29412D9172504E1DB13D06DDE6B228B75371FF1D00514EF22F
Instruction Fuzzy Hash: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd

APIs

LoadLibraryA.KERNEL32(?), ref: 002B359B
GetProcAddress.KERNEL32(?,?,00000000,002B36DD), ref: 002B35AB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,002B36DD), ref: 002B35CF

Strings

could not be located in the dynamic link library , xrefs: 002B362D, 002B368A
LOADER ERROR, xrefs: 002B3658, 002B36B5
The ordinal , xrefs: 002B3607
The procedure entry point , xrefs: 002B3664
KERNEL32.DLL, xrefs: 002B35CA

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A73E0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: c4f4c0a5877448acea4195335ae71972721fedb06b30048fd636d8133c8981fc
Instruction ID: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb
Opcode Fuzzy Hash: 1C21955D9395C637D88B6E9C188079151A49B2B635FC4CF804BB7A6AE12E90200FB37B
Instruction Fuzzy Hash: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb

APIs

GetSystemDefaultLCID.KERNEL32(00000000,002A7628,?,?,?,?,00000000,00000000,00000000), ref: 002A73FA

Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246

Part of subcall function 002A7274: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287

Strings

m/d/yy, xrefs: 002A74C9
mmmm d, yyyy, xrefs: 002A74EB
:mm, xrefs: 002A75DC
AMPM, xrefs: 002A75C5
:mm:ss, xrefs: 002A75F6

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B2B9C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: 52ff10446c29eb4f2453aa28d8dcca9ce27f261b20a4214b4baa6089c4f2e97f
Instruction ID: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2
Opcode Fuzzy Hash: 5CF0BE831BE0E5EF800377480C4372D04A49787834C943BB6CA79265F42D25C44EE19E
Instruction Fuzzy Hash: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,002B2CB1), ref: 002B2BDF

Part of subcall function 002A71A4: GetLocalTime.KERNEL32(?), ref: 002A71AC

Strings

\user.dat, xrefs: 002B2C2A
\pagefile.sys, xrefs: 002B2C5E

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: VTfIxABUKQX.exe Analysis ID: 37961

General

Root Process Name:	Regdriver.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: window-on-top.tmp Analysis ID: 70878

General

Root Process Name:	Regdriver.exe
Process MD5:	90FC739C83CD19766ACB562C66A7D0E2
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	70878
Initial sample SHA 256:	234942ED1DC29A6A4FBEED97E3967DF28C774B6FB6CA49CC1C51AB03EE3FADEF
Initial sample name:	crestron_usbdriver_w10_module_2.01.527.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: sevnz.exe Analysis ID: 37961

General

Root Process Name:	Regdriver.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: Processo_MPF_0008837353_2014_9_07_90182798772.exe Analysis ID: 31598

General

Root Process Name:	Regdriver.exe
Process MD5:	E1C1EA4A105FBE869EC64AA457C252EB
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	31598
Initial sample SHA 256:	4B056610FE5BAD681089B105CD42BD618470877DCB46E70C2754461612A6DB5C
Initial sample name:	Processo_MPF_0008837353_2014_9_07_90182798772.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: 71exact replicas of the pictures.scr Analysis ID: 355875

General

Root Process Name:	Regdriver.exe
Process MD5:	2CA36B311F65211EDD9440E953C7824D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	355875
Initial sample SHA 256:	6CD54C07CBA11E93454E741275DAF57A6AA4312B3F0CC48F73E09985C8488E1A
Initial sample name:	71exact replicas of the pictures.scr

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B3578, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Similarity

Total matches: 3
API ID: GetModuleHandleGetProcAddressLoadLibrary
String ID: could not be located in the dynamic link library $KERNEL32.DLL$LOADER ERROR$The ordinal $The procedure entry point
API String ID: 3886144976-2170670254
Opcode ID: 88efacc329da98b75ff5125b54b7f36181cef52c8a101a4a1e939dd31dd53547
Instruction ID: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd
Opcode Fuzzy Hash: BA01475CA3CA5A67CA3B29412D9172504E1DB13D06DDE6B228B75371FF1D00514EF22F
Instruction Fuzzy Hash: 9294a896def5fa8fbc2f638c637911e40bd32ea3478ae5a10c3eeb91bdd69ecd

APIs

LoadLibraryA.KERNEL32(?), ref: 002B359B
GetProcAddress.KERNEL32(?,?,00000000,002B36DD), ref: 002B35AB
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00000000,002B36DD), ref: 002B35CF

Strings

could not be located in the dynamic link library , xrefs: 002B362D, 002B368A
LOADER ERROR, xrefs: 002B3658, 002B36B5
The ordinal , xrefs: 002B3607
The procedure entry point , xrefs: 002B3664
KERNEL32.DLL, xrefs: 002B35CA

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002A73E0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: c4f4c0a5877448acea4195335ae71972721fedb06b30048fd636d8133c8981fc
Instruction ID: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb
Opcode Fuzzy Hash: 1C21955D9395C637D88B6E9C188079151A49B2B635FC4CF804BB7A6AE12E90200FB37B
Instruction Fuzzy Hash: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb

APIs

GetSystemDefaultLCID.KERNEL32(00000000,002A7628,?,?,?,?,00000000,00000000,00000000), ref: 002A73FA

Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246

Part of subcall function 002A7274: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287

Strings

m/d/yy, xrefs: 002A74C9
mmmm d, yyyy, xrefs: 002A74EB
:mm, xrefs: 002A75DC
AMPM, xrefs: 002A75C5
:mm:ss, xrefs: 002A75F6

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 002B2B9C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Similarity

Total matches: 3
API ID: GetWindowsDirectory
String ID: \pagefile.sys$\user.dat
API String ID: 4084383422-633636141
Opcode ID: 52ff10446c29eb4f2453aa28d8dcca9ce27f261b20a4214b4baa6089c4f2e97f
Instruction ID: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2
Opcode Fuzzy Hash: 5CF0BE831BE0E5EF800377480C4372D04A49787834C943BB6CA79265F42D25C44EE19E
Instruction Fuzzy Hash: 467786ba5035c41643f9a1af1aa38e59a4650a95535471f4879671b4515e85e2

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,002B2CB1), ref: 002B2BDF

Part of subcall function 002A71A4: GetLocalTime.KERNEL32(?), ref: 002A71AC

Strings

\user.dat, xrefs: 002B2C2A
\pagefile.sys, xrefs: 002B2C5E

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	Regdriver.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: data.exe Analysis ID: 32007

General

Root Process Name:	Regdriver.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: New Purchase Order No.0567.exe Analysis ID: 64048

General

Root Process Name:	Regdriver.exe
Process MD5:	76E104EBA0BB25DA3B345C6F351BAF42
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	64048
Initial sample SHA 256:	8D88DAFBDE4072958A6B433F70F0131D88D8579B0A43EEADCB50B8E006ED8116
Initial sample name:	New Purchase Order No.056.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: RFQ-857369 {Draft copy}.exe Analysis ID: 71697

General

Root Process Name:	Regdriver.exe
Process MD5:	028D4FD059E8A0F2F9E8C1635D036E2A
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	71697
Initial sample SHA 256:	EB95BF9222CAEE7FBB65B2780A0C48DCB076196D75EFBBE1D1D677BB516C8069
Initial sample name:	1.doc

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: darkcomet.exe Analysis ID: 41363

General

Root Process Name:	Regdriver.exe
Process MD5:	5A790B57A083A6B0FDDC5BACBBBD95DE
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	41363
Initial sample SHA 256:	3C9E853D9D3924C45DD8C5CB92F002422E6151FAE739E53DB26C4945D4463876
Initial sample name:	darkcomet.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: SCAN00GOG0900.exe Analysis ID: 48661

General

Root Process Name:	Regdriver.exe
Process MD5:	F51025B7377A6E1195B92C43C02AE280
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	48661
Initial sample SHA 256:	3BC676885FCB24D6743D5EC70E405FFB4A45DC1CA41F7FCEC4863E719DCE69B3
Initial sample name:	SCAN00GOG090.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	Regdriver.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: drivermax_9_14_cnet.tmp Analysis ID: 29247

General

Root Process Name:	Regdriver.exe
Process MD5:	AB126F7F9FF2E7902FF2BBDC1A6D3158
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	29247
Initial sample SHA 256:	4621B64A0948B5E2B76191627C24218D311ABA0B5E8878C31727E99C40337E66
Initial sample name:	drivermax_9_14_cnet.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A73E0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Similarity

Total matches: 412
API ID: GetSystemDefaultLCID
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1253799171-665933166
Opcode ID: c4f4c0a5877448acea4195335ae71972721fedb06b30048fd636d8133c8981fc
Instruction ID: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb
Opcode Fuzzy Hash: 1C21955D9395C637D88B6E9C188079151A49B2B635FC4CF804BB7A6AE12E90200FB37B
Instruction Fuzzy Hash: 32d1e29d2d360582e5ca3024e97e6dfe6be0e36ef8c59df354a254d10de7c1bb

APIs

GetSystemDefaultLCID.KERNEL32(00000000,002A7628,?,?,?,?,00000000,00000000,00000000), ref: 002A73FA

Part of subcall function 002A7228: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 002A7246

Part of subcall function 002A7274: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,002A7476,00000000,002A7628,?,?,?,?,00000000), ref: 002A7287

Strings

m/d/yy, xrefs: 002A74C9
mmmm d, yyyy, xrefs: 002A74EB
:mm, xrefs: 002A75DC
AMPM, xrefs: 002A75C5
:mm:ss, xrefs: 002A75F6

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: K9tdOxcj76.exe Analysis ID: 38384

General

Root Process Name:	Regdriver.exe
Process MD5:	624023448A39E6EADB9F7722FAE2DCD3
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	38384
Initial sample SHA 256:	B111124CED4570DF72CEFD1B5D0D1AFC1F1DAE7DB1319C4E720F52C23B76C0AD
Initial sample name:	K9tdOxcj76.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: darkcomet-irixo.exe.exe Analysis ID: 58114

General

Root Process Name:	Regdriver.exe
Process MD5:	4716314D197F0B5485AEA5142842E06C
Total matches:	5
Initial Analysis Report:	Open
Initial sample Analysis ID:	58114
Initial sample SHA 256:	4FB60E4BD29B1747F5D232E01136F5699AB5C789C654B0808A8E44D3CBF432D9
Initial sample name:	darkcomet-irixo.exe.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: yBLTd2qfZO.exe Analysis ID: 54872

General

Root Process Name:	Regdriver.exe
Process MD5:	03BB99E62C4CD6C4432DCA32DE043957
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	54872
Initial sample SHA 256:	682564B5D211B17254870DD8B2473D8E557D0F195441D14DDF7109048BA79F44
Initial sample name:	yBLTd2qfZO.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: Hsksdycn.exe Analysis ID: 37311

General

Root Process Name:	Regdriver.exe
Process MD5:	EEC006D47C4E68C91A6943F86A58ABBA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37311
Initial sample SHA 256:	A4D39395175CAE45FA61490507FC6D20E6BA5529E75551BBC0CBA712F06785C7
Initial sample name:	Hsksdycn.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: Paint.exe Analysis ID: 46203

General

Root Process Name:	Regdriver.exe
Process MD5:	EC2ECFF8B5F270506F95A5153AEEC6F8
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	46203
Initial sample SHA 256:	0AC12D0D7F3916439A2E0E1B921D01BECFA175A841896B0981CE19463D9CE8D5
Initial sample name:	45NNNN####.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: 58DHL Shipment Doc# 070881019.exe Analysis ID: 38736

General

Root Process Name:	Regdriver.exe
Process MD5:	84F29ADF5A558248B2F8CDD64ACA919C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38736
Initial sample SHA 256:	CD4D5779616ABCDA8CB8AD4743C4E8411CC46F4414B02948D2329E05870F4C73
Initial sample name:	58DHL Shipment Doc# 070881019.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: 47PAYMENT.exe Analysis ID: 38767

General

Root Process Name:	Regdriver.exe
Process MD5:	3CF908E5EE436FDF3D2B780400866C7D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38767
Initial sample SHA 256:	46954E2B964858B303E9D4DF04251E614CBC4D69E43206ABF532EF8DA23CB5C0
Initial sample name:	47PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: Paint.exe Analysis ID: 48244

General

Root Process Name:	Regdriver.exe
Process MD5:	D02D11222196B056FAC8A02EEB6BFAFF
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	48244
Initial sample SHA 256:	C1DCEB8932F96AEBE71D9A8AF29B8149C8EFBDFDA51F96251457FCFCD0D6FDBD
Initial sample name:	63scan swift 1123242#usd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: 46INSTRUCTIONS TO BIDDERS AND ACKNOWLEDGEMENT.PDF.exe Analysis ID: 349956

General

Root Process Name:	Regdriver.exe
Process MD5:	0DB348AF300B367E15F896ADB41BDF6F
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	349956
Initial sample SHA 256:	277D18E72CB1A9BB0BAE2424704E2575362DD9DA8A07BAEF2FB09A352FE57EDC
Initial sample name:	46INSTRUCTIONS TO BIDDERS AND ACKNOWLEDGEMENT.PDF.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 002A53BF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Similarity

Total matches: 908
API ID: SetFilePointer$CloseHandleCreateFileGetFileSizeGetFileTypeGetLastErrorGetStdHandleReadFileSetEndOfFile
String ID:
API String ID: 16075290-0
Opcode ID: 588ac336a72876fc772d3da1ae1bc98d38ef183fda0b5e2e79c35d54ebb79322
Instruction ID: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865
Opcode Fuzzy Hash: C401680132CD92A7E4AF278085E0BD122587B1BB5CC90CF512294749F4AF95A26CBF0E
Instruction Fuzzy Hash: 16437b7c63c612338c920362736d804e710c2e71501c49da05ba6021d779f865

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 002A5446
GetFileSize.KERNEL32(?,00000000), ref: 002A546A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000), ref: 002A5486
ReadFile.KERNEL32(?,?,00000080,?,00000000), ref: 002A54A7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 002A54D0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 002A54DA
GetStdHandle.KERNEL32(000000F5), ref: 002A54FA
GetFileType.KERNEL32 ref: 002A5511
CloseHandle.KERNEL32 ref: 002A552C
GetLastError.KERNEL32(000000F5), ref: 002A5546

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: rnicrosoft.exe Analysis ID: 37144

General

Root Process Name:	Regdriver.exe
Process MD5:	03650E61AE4CD9D316DC59A0EB1E1BBA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37144
Initial sample SHA 256:	F6E78BF391F48D0337AA352DD657958B92D65466DAE8893CD7DFECB00C8E0A79
Initial sample name:	17Bank copy 13-11-2017.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: 37statement of account.exe Analysis ID: 37467

General

Root Process Name:	Regdriver.exe
Process MD5:	151AB14A9FAE18D9DF3E040F213BFA1C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37467
Initial sample SHA 256:	7EE2343156522F16C12ABC8C0F2741BA87F20211B27153FB637C7C20D439FC71
Initial sample name:	37statement of account.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: 49Bank copy 17-11-2017.exe Analysis ID: 37438

General

Root Process Name:	Regdriver.exe
Process MD5:	0E14513130F478BACF44E074A526AE21
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37438
Initial sample SHA 256:	B36A14DAD895657F3AD9E3B7AB90A543B788443A6E178C3042C0A614AC003A3B
Initial sample name:	49Bank copy 17-11-2017.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: taskhost.exe Analysis ID: 293437

General

Root Process Name:	Regdriver.exe
Process MD5:	5C4A18D1A9A77B3A2A334D673713DCDF
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	293437
Initial sample SHA 256:	1B8C7F7287DCF82CB4186120E848F66AC0A6B4DB016D726173BB554EB8B7E4DB
Initial sample name:	65Bank Copy 16-06-17.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 002A6644, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Similarity

Total matches: 271
API ID: FileTimeToDosDateTimeFileTimeToLocalFileTimeFindNextFileGetLastError
String ID:
API String ID: 1236454166-0
Opcode ID: 8291d8e60a726b0418ab79f9eef81b9bb57ffefecf15ded0f1122eb310303240
Instruction ID: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a
Opcode Fuzzy Hash: 1FD0124745344A0389ED0D9C40D3D85129245AECB2ABC2F0149BF7F6D709219557FECC
Instruction Fuzzy Hash: 2b71660945dc9c30e1379083e524acc7b22e7bd4247a10786bb3833b2940bd2a

APIs

FindNextFileA.KERNEL32(?,?), ref: 002A6654
GetLastError.KERNEL32(?,?), ref: 002A665D
FileTimeToLocalFileTime.KERNEL32(?), ref: 002A6671
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 002A6680

Memory Dump Source

Source File: 00000004.00000003.453105771.002A1000.00000004.sdmp, Offset: 002A1000, based on PE: false

Process Name: 74ASVfdWjgISVfdWjgI.exe Analysis ID: 37665

General

Root Process Name:	Regdriver.exe
Process MD5:	DB3C2D77BD50E0CD6B441BCC9DDF0712
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37665
Initial sample SHA 256:	00EDB83FCCCAB0FE4ED0036AC8BA5699FDF840A63645D60DB71419CB62112013
Initial sample name:	74ASVfdWjgISVfdWjgI.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000004.00000002.461572288.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.461555529.00400000.00000002.sdmp
Associated: 00000004.00000002.461952454.00499000.00000008.sdmp
Associated: 00000004.00000002.461963366.004A4000.00000008.sdmp
Associated: 00000004.00000002.462030075.004C3000.00000008.sdmp
Associated: 00000004.00000002.463276082.00614000.00000004.sdmp
Associated: 00000004.00000002.463306188.00616000.00000008.sdmp

Process Name: window-on-top.tmp Analysis ID: 70878

General

Root Process Name:	regdrv.exe
Process MD5:	90FC739C83CD19766ACB562C66A7D0E2
Total matches:	6
Initial Analysis Report:	Open
Initial sample Analysis ID:	70878
Initial sample SHA 256:	234942ED1DC29A6A4FBEED97E3967DF28C774B6FB6CA49CC1C51AB03EE3FADEF
Initial sample name:	crestron_usbdriver_w10_module_2.01.527.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: Hsksdycn.exe Analysis ID: 37311

General

Root Process Name:	regdrv.exe
Process MD5:	EEC006D47C4E68C91A6943F86A58ABBA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37311
Initial sample SHA 256:	A4D39395175CAE45FA61490507FC6D20E6BA5529E75551BBC0CBA712F06785C7
Initial sample name:	Hsksdycn.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 58DHL Shipment Doc# 070881019.exe Analysis ID: 38736

General

Root Process Name:	regdrv.exe
Process MD5:	84F29ADF5A558248B2F8CDD64ACA919C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38736
Initial sample SHA 256:	CD4D5779616ABCDA8CB8AD4743C4E8411CC46F4414B02948D2329E05870F4C73
Initial sample name:	58DHL Shipment Doc# 070881019.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 47PAYMENT.exe Analysis ID: 38767

General

Root Process Name:	regdrv.exe
Process MD5:	3CF908E5EE436FDF3D2B780400866C7D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38767
Initial sample SHA 256:	46954E2B964858B303E9D4DF04251E614CBC4D69E43206ABF532EF8DA23CB5C0
Initial sample name:	47PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 37statement of account.exe Analysis ID: 37467

General

Root Process Name:	regdrv.exe
Process MD5:	151AB14A9FAE18D9DF3E040F213BFA1C
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37467
Initial sample SHA 256:	7EE2343156522F16C12ABC8C0F2741BA87F20211B27153FB637C7C20D439FC71
Initial sample name:	37statement of account.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 74ASVfdWjgISVfdWjgI.exe Analysis ID: 37665

General

Root Process Name:	regdrv.exe
Process MD5:	DB3C2D77BD50E0CD6B441BCC9DDF0712
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37665
Initial sample SHA 256:	00EDB83FCCCAB0FE4ED0036AC8BA5699FDF840A63645D60DB71419CB62112013
Initial sample name:	74ASVfdWjgISVfdWjgI.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 31SIMREG INCENTIVE BREAKDOWN.xlsx.exe Analysis ID: 40080

General

Root Process Name:	regdrv.exe
Process MD5:	5D34E72A2C6BF15D7003F2942D1F8B63
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40080
Initial sample SHA 256:	44EC55D01DB8CC10489808865BF3E8C727B0F95665C788252129C48730E03C9D
Initial sample name:	31SIMREG INCENTIVE BREAKDOWN.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: Agreement_pdf.exe Analysis ID: 363512

General

Root Process Name:	regdrv.exe
Process MD5:	77D378763AC0444A9F767F446772A479
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	363512
Initial sample SHA 256:	79B6602549F608FA333C2938B802D1D095145BE3B6C55F14F552532F94D264ED
Initial sample name:	Agreement_pdf.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 17Invoice.exe Analysis ID: 37668

General

Root Process Name:	regdrv.exe
Process MD5:	0D8926429A27363F3994D09184572666
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37668
Initial sample SHA 256:	75BA0C30FD89BC752E13D2662200683788DCC5E7C30D6A983507C93D4087BB6D
Initial sample name:	17Invoice.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: data.exe Analysis ID: 46942

General

Root Process Name:	regdrv.exe
Process MD5:	1D8830D54E8E8F210792188C07C5E83A
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	46942
Initial sample SHA 256:	42681CBBD2B31A9C2D89D875858C9B24F72B2D836C9E1711ECB82F8399ABE6EC
Initial sample name:	data.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: VTfIxABUKQX.exe Analysis ID: 37961

General

Root Process Name:	regdrv.exe
Process MD5:	E8806738A575A6639E7C9AAC882374AE
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	37961
Initial sample SHA 256:	870185E0AA9C8F21FFE5EA148332E3590A7F197B9CA86093F8211EC6F323AEB7
Initial sample name:	image2017-11-22-8137083.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 69NEW DAWN STAFF DRESS.xlsx.exe Analysis ID: 39704

General

Root Process Name:	regdrv.exe
Process MD5:	EAD2C482D0C82A21372F969C61302C31
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39704
Initial sample SHA 256:	3945612F0C356BD35F79F669EBC69D8D7DEDBB283031DF73BE1DC8875223B870
Initial sample name:	69NEW DAWN STAFF DRESS.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: dYdRqZwo.exe Analysis ID: 40080

General

Root Process Name:	regdrv.exe
Process MD5:	5D34E72A2C6BF15D7003F2942D1F8B63
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40080
Initial sample SHA 256:	44EC55D01DB8CC10489808865BF3E8C727B0F95665C788252129C48730E03C9D
Initial sample name:	31SIMREG INCENTIVE BREAKDOWN.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 71Payment.jpg............exe Analysis ID: 38833

General

Root Process Name:	regdrv.exe
Process MD5:	0742CE86C683E9483BDF448B38BF2664
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38833
Initial sample SHA 256:	63461ECF4510F3D25CFE5EB91490E75A104E2226DD51C233B36146208ABDF134
Initial sample name:	71Payment.jpg...........exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: OHyCCfZu.exe Analysis ID: 46942

General

Root Process Name:	regdrv.exe
Process MD5:	1D8830D54E8E8F210792188C07C5E83A
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	46942
Initial sample SHA 256:	42681CBBD2B31A9C2D89D875858C9B24F72B2D836C9E1711ECB82F8399ABE6EC
Initial sample name:	data.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: FuVDbcfS.exe Analysis ID: 39246

General

Root Process Name:	regdrv.exe
Process MD5:	D92C4AE32F8DE6EBC6FC4E855E7B66AA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39246
Initial sample SHA 256:	0439E980D0A0D83D4DF8B55CCA3B5FFE2735FD92BE7589BB90E8C449F187D7BC
Initial sample name:	37Hua Hang Shipping & Trading.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: XbNQXwEL.exe Analysis ID: 39695

General

Root Process Name:	regdrv.exe
Process MD5:	1C319E894D3BF7D381D3EAC736FD5502
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39695
Initial sample SHA 256:	E66FEF46C6DB1173CE716E35636ED5BD7E18223B8B8793654CB986B37D2E241D
Initial sample name:	36Invoice 0.96067400.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: nVndEfAi.exe Analysis ID: 40506

General

Root Process Name:	regdrv.exe
Process MD5:	DDF37EB620C66DE4AF7017BB5DB95893
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40506
Initial sample SHA 256:	AB08ADC286B8AD4F9050172FE2C9241E5E5BE5D192A33B9B7A0222D157CCCF1F
Initial sample name:	4920171219_KYC Form for SIM Registration Partners.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 58REMITTANCE COPY_BALANCE PAYMENT.exe Analysis ID: 40041

General

Root Process Name:	regdrv.exe
Process MD5:	4030BA83FBC48E2F007FAE34829897E9
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	40041
Initial sample SHA 256:	543E8D26F66D0A01120867A47A0156C4ABD119207524A84FFA0D54584E1F5C35
Initial sample name:	58REMITTANCE COPY_BALANCE PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: xPtlWgvn.exe Analysis ID: 39827

General

Root Process Name:	regdrv.exe
Process MD5:	AAD08C4F7D96A5986BA7941AC8336FD3
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39827
Initial sample SHA 256:	1EF918A065242F2DBA0FE9F1C89027E599A9FFFF13447EB44AB7C4BB638D3B46
Initial sample name:	Payment Advice.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 36PAYMENT.exe Analysis ID: 38663

General

Root Process Name:	regdrv.exe
Process MD5:	367A5392D23C0C007DD8E71DBB8B1EE7
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38663
Initial sample SHA 256:	EE7BF223A48D51F8E5218F80559995999E80F2B6B6A386D2C79A2ED378DD5FC8
Initial sample name:	36PAYMENT.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: vUCGyPcV.exe Analysis ID: 39127

General

Root Process Name:	regdrv.exe
Process MD5:	C0EAF6EBE3AF1A42B8C9911F92714FE4
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39127
Initial sample SHA 256:	BC9F1162F4EDB1024CB9BDB26282A2C55CBA24D07F498D45DFDE02FB583D969E
Initial sample name:	13MTN TP November airtime performance Bonus.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: pQwinup.exe Analysis ID: 32007

General

Root Process Name:	regdrv.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: EwKNSDWB.exe Analysis ID: 36631

General

Root Process Name:	regdrv.exe
Process MD5:	AADEF13F05E9E17B79EC50FB9665593B
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	36631
Initial sample SHA 256:	AD3521749277150F5E94AA42A9557802A6D2D8388449631A4A82D8139DA2ACB3
Initial sample name:	41Agreement of Sale Document.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 69IMG00002.exe Analysis ID: 41839

General

Root Process Name:	regdrv.exe
Process MD5:	BFB80626BE700A621CABDFF267B6ED2E
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	41839
Initial sample SHA 256:	3676DF4237CC2F2DD196154BF6ACD3449CF14C1A2CCB3FC681D7CAFCAA53225A
Initial sample name:	69IMG00002.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 38Payment.exe Analysis ID: 38217

General

Root Process Name:	regdrv.exe
Process MD5:	ABDD63CC62905D29A7D3D42AD83688CF
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	38217
Initial sample SHA 256:	738FB112260CE4F5A03EE506A63ACA80A567CA228D2B5AF246D0602756025526
Initial sample name:	38Payment.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: 13MTN TP November airtime performance Bonus.pdf.exe Analysis ID: 39127

General

Root Process Name:	regdrv.exe
Process MD5:	C0EAF6EBE3AF1A42B8C9911F92714FE4
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39127
Initial sample SHA 256:	BC9F1162F4EDB1024CB9BDB26282A2C55CBA24D07F498D45DFDE02FB583D969E
Initial sample name:	13MTN TP November airtime performance Bonus.pd.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: data.exe Analysis ID: 32007

General

Root Process Name:	regdrv.exe
Process MD5:	B56AA07E5FE953431CA8DE5326D6953D
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	32007
Initial sample SHA 256:	199A33F16BCC4DD012A3A4738CE5A2B21647150D09C84A1CC8C05338DB03E90E
Initial sample name:	Charter Embarkation & Destination Details.vbs

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: RAZBvEJG.exe Analysis ID: 36867

General

Root Process Name:	regdrv.exe
Process MD5:	38F778B7F5D646D294E9ACC754648AAA
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	36867
Initial sample SHA 256:	412863E767B5806B13EB38798FDB024C470A60B411E977019516FDD02F72071F
Initial sample name:	41Week 45_SIMReg Server Report.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Process Name: fggCPClP.exe Analysis ID: 39823

General

Root Process Name:	regdrv.exe
Process MD5:	4DE78F999AE56C63667C37E912DA7310
Total matches:	4
Initial Analysis Report:	Open
Initial sample Analysis ID:	39823
Initial sample SHA 256:	4ADE58BE4BFF31D154B51B92A6C6C8F9B849A4787C74635CDEB56350DCE62009
Initial sample name:	69S&D 7-8-9Dec.xls.exe

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Similarity

Total matches: 3182
API ID: SafeArrayPtrOfIndex$SafeArrayCreateSafeArrayGetLBoundSafeArrayGetUBoundVariantCopy
String ID:
API String ID: 2271334273-3916222277
Opcode ID: 09a65adaf0fd61e070e195e3eebac93fee3bba854f5ad7e13f725b13c9063bd3
Instruction ID: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649
Opcode Fuzzy Hash: 7E116D03238AAB83B0257B404C83F24D1D5DE42D36ACD97B8C672687F32A51561EF26C
Instruction Fuzzy Hash: 0833261f76141c9b06cdd1f78af75ec2175f4be8c20380b343e83136bf69d649

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410205
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410221
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041025A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004102D7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004102F0
VariantCopy.OLEAUT32(?), ref: 00410325

Strings

, xrefs: 00410186

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Similarity

Total matches: 3189
API ID: SafeArrayGetLBoundSafeArrayGetUBoundSafeArrayPtrOfIndexVariantClear
String ID:
API String ID: 1920212907-0
Opcode ID: a68b0378a19945170f1cf40566c0dc08320090f9725b11cc392df2562336396d
Instruction ID: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb
Opcode Fuzzy Hash: FB014B0327CAAA867021BB004C82FA0D2D5DE52A369CD8B74DB71693F62B80571FF60C
Instruction Fuzzy Hash: 8a8775d0d31a55a3b34381de6f3110c1ff7883f17a5aa906c24040281164d3bb

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040FF7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040FF97
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041000E
VariantClear.OLEAUT32(?), ref: 00410037

Memory Dump Source

Source File: 00000005.00000002.487413976.00401000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487404433.00400000.00000002.sdmp
Associated: 00000005.00000002.487557191.00499000.00000008.sdmp
Associated: 00000005.00000002.487566565.004A4000.00000008.sdmp
Associated: 00000005.00000002.487595103.004C3000.00000008.sdmp
Associated: 00000005.00000002.487868215.00614000.00000004.sdmp
Associated: 00000005.00000002.487895278.00616000.00000008.sdmp

Loading ...

Warning!

Similarity Report

Overview

General Information

Static File Info

Similarity Information

Similar Processes

Similar Functions

Process Name: DOC000YUT090.exe Analysis ID: 45352

General

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Process Name: Po_No_6111875-22.exe Analysis ID: 46407

General

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Process Name: 71exact replicas of the pictures.scr Analysis ID: 355875

General

Similar Executed Functions

Similar Non-Executed Functions

Function 0034FD78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112 Total matches: 3libraryloader

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Function 0034F39C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79 Total matches: 3

Process Name: VTfIxABUKQX.exe Analysis ID: 37961

General

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Function 00342E44, Relevance: 6.0, APIs: 4, Instructions: 39 Total matches: 271timefile

Process Name: window-on-top.tmp Analysis ID: 70878

General

Similar Executed Functions

Similar Non-Executed Functions

Function 0041016C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139 Total matches: 3182

Function 0040FECC, Relevance: 6.1, APIs: 4, Instructions: 115 Total matches: 3189

Process Name: AnalyticsEdgeBasicInstaller.tmp Analysis ID: 66606

General

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Process Name: pdf-to-xml.tmp Analysis ID: 67877

General

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Process Name: VeriCoin_1.7.1_64bit.tmp Analysis ID: 73141

General

Similar Executed Functions

Similar Non-Executed Functions

Function 00341BBF, Relevance: 15.1, APIs: 10, Instructions: 122 Total matches: 908file

Function 00343BE0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167 Total matches: 412

Function 00341E2A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72 Total matches: 311window

Process Name: sevnz.exe Analysis ID: 37961

General

Similar Executed Functions